Fix a dumb type condition in gdrive.py

jvoisin · jvoisin · commit 8ad9f4e3b79c · 2026-04-14T22:51:36.000+02:00
hashlib.md5(dbpath) returns a hash object, not a hex string. Comparing a string
(md5Checksum) to a hash object with != always returns True. This means the
DB-replacement code path is always entered, allowing an attacker who sends a
forged notification (with the known static token) to trigger an arbitrary
metadata.db download from GDrive, replacing the live database.
diff --git a/cps/gdrive.py b/cps/gdrive.py
@@ -140,7 +140,7 @@ def on_received_watch_confirmation():
             if response:
                 dbpath = os.path.join(config.config_calibre_dir, "metadata.db").encode()
                 if not response['deleted'] and response['file']['title'] == 'metadata.db' \
-                  and response['file']['md5Checksum'] != hashlib.md5(dbpath):  # nosec
+                  and response['file']['md5Checksum'] != hashlib.md5(dbpath).hexdigest():  # nosec
                     tmp_dir = get_temp_dir()
 
                     log.info('Database file updated')
