When compiled --with-libmetalink
and used with --metalink
curl does check the cryptographics hash of the downloaded files. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is.
Since curl implements the hash validation and reports incorrect hashes there might be an expectation that files with incorrect hashes would not be kept either. Since the metalink can be used with insecure protocols such as http and ftp, the hash validation might be used an actual way to verify the download integrity against tampering.
1.Configure libcurl --with-libmetalink
and build libcurl
2. Have metalinktest.xml with <file name="testfile">
containing incorrect sha-256 hash for it.
3. Execute: curl --metalink https://testsite/metalinktest.xml
The following message will be displayed:
Metalink: validating (testfile) [sha-256] FAILED (digest mismatch)
Yet, the downloaded file testfile
with incorrect hash mismatch is kept.
It might be more sensible to download the file to a temporary name first, verify the hash and only then store the file to final name if the hash is correct. If hash mismatch is found remove the temporary file.
Modified or tampered files are kept and possibly incorrectly assumed valid