Verify hash of Python installer

qbittorrent · Nov 19, 2024 · 9ab699c · 9ab699c
1 parent 7f901a8
commit 9ab699c
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/src/gui/mainwindow.cpp b/src/gui/mainwindow.cpp
@@ -56,6 +56,10 @@
 #include <QString>
 #include <QTimer>
 
+#ifdef Q_OS_WIN
+#include <QCryptographicHash>
+#endif
+
 #include "base/bittorrent/session.h"
 #include "base/bittorrent/sessionstatus.h"
 #include "base/global.h"
@@ -113,7 +117,11 @@ namespace
 
     const std::chrono::seconds PREVENT_SUSPEND_INTERVAL {60};
 
+#ifdef Q_OS_WIN
     const QString PYTHON_INSTALLER_URL = u"https://www.python.org/ftp/python/3.13.0/python-3.13.0-amd64.exe"_s;
+    const QByteArray PYTHON_INSTALLER_MD5 = QByteArrayLiteral("f5e5d48ba86586d4bef67bcb3790d339");
+    const QByteArray PYTHON_INSTALLER_SHA3_512 = QByteArrayLiteral("28ed23b82451efa5ec87e5dd18d7dacb9bc4d0a3643047091e5a687439f7e03a1c6e60ec64ee1210a0acaf2e5012504ff342ff27e5db108db05407e62aeff2f1");
+#endif
 }
 
 MainWindow::MainWindow(IGUIApplication *app, const WindowState initialState, const QString &titleSuffix)
@@ -1921,6 +1929,44 @@ void MainWindow::pythonDownloadFinished(const Net::DownloadResult &result)
     const Path exePath = result.filePath + u".exe";
     Utils::Fs::renameFile(result.filePath, exePath);
 
+    // verify hash
+    // Python.org only provides MD5 hash but MD5 is already broken and doesn't guarantee file is not tampered.
+    // Therefore, MD5 is only included to prove that the hash is still the same with upstream and we rely on
+    // SHA3-512 for the main check.
+    {
+        QFile file(exePath.data());
+        if (!file.open(QIODevice::ReadOnly))
+        {
+            restoreWidgetsState();
+            LogMsg((tr("Failed to open Python installer. File: \"%1\".").arg(exePath.toString())), Log::WARNING);
+            return;
+        }
+
+        QCryptographicHash md5Hash {QCryptographicHash::Md5};
+        md5Hash.addData(&file);
+        if (const QByteArray hashHex = md5Hash.result().toHex(); hashHex != PYTHON_INSTALLER_MD5)
+        {
+            restoreWidgetsState();
+            LogMsg((tr("Failed MD5 hash check for Python installer. File: \"%1\". Result hash: \"%2\". Expected hash: \"%3\".")
+                    .arg(exePath.toString(), QString::fromLatin1(hashHex), QString::fromLatin1(PYTHON_INSTALLER_MD5)))
+                , Log::WARNING);
+            return;
+        }
+
+        file.seek(0);
+
+        QCryptographicHash sha3Hash {QCryptographicHash::Sha3_512};
+        sha3Hash.addData(&file);
+        if (const QByteArray hashHex = sha3Hash.result().toHex(); hashHex != PYTHON_INSTALLER_SHA3_512)
+        {
+            restoreWidgetsState();
+            LogMsg((tr("Failed SHA3-512 hash check for Python installer. File: \"%1\". Result hash: \"%2\". Expected hash: \"%3\".")
+                    .arg(exePath.toString(), QString::fromLatin1(hashHex), QString::fromLatin1(PYTHON_INSTALLER_SHA3_512)))
+                , Log::WARNING);
+            return;
+        }
+    }
+
     // launch installer
     auto *installer = new QProcess(this);
     installer->connect(installer, &QProcess::finished, this, [this, exePath, installer, restoreWidgetsState](const int exitCode, const QProcess::ExitStatus exitStatus)