Language Change PR-4.0-dev

Pending

User tests: Successful: Unsuccessful:

avatar NunoLopes96
NunoLopes96
16 Aug 2017

Introduction

Currently there is no security when downloading files from update sites or uploading a package, with this feature the main goal is to make sure that only the original files are downloaded and installed by checking the integrity of the package(SHA256, SHA1 and MD5 Hashes), lowering the risk of getting infected files that can risk the user.

Summary of Changes

This verification will only be made for installing packages from URL or uploading a package file in the Install view, this is how the process of verification will happen:
screenshot from 2017-08-08 16-53-23
(note: I forgot to place the SHA-256 hash here)

Testing Instructions

We will have 3 packages to test:

Package with the correct hashes in the update server manifest:
component_joomla.zip

Here is the update server manifest:
https://www.jah-tz.de/downloads/core/gsoc17/extension.xml

Package with the wrong hashes:
component_joomla_wrong_checksum.zip

I remember here that without the Force Install checked you won't install the extension

Update server manifest:
https://www.jah-tz.de/downloads/core/gsoc17/extension_wrong_hash.xml

Package without hashes:
component_joomla_no_checksum.zip

Update server manifest:
https://www.jah-tz.de/downloads/core/gsoc17/extension_no_chechsum.xml

Expected result

Case 1 - File Checksum OK:
A success message when the checksums are equal

Case 2 - File Checksum Failed:
A danger message when the checksums are not equal and the user does not want to force the installation, redirecting back to the view without installing the extension

Case 3 - File Checksum Failed but user wants to force install:
There will be a checkbox on the upload package and install from URL tab where the user can check if he really wants to install the extension even if the Checksum fails.
A warning if the checksum fails will appear.

Case 4 - No checksum found:
If the extension has no update site or no checksums (MD5, SHA1 or SHA256 tags) are showed in the update site manifest a warning should appear to make sure the users know that no security verification was provided in the extension package.
A info message will appear that no Hashes are available.

Actual result

Currently there is no security or information related to this

Documentation Changes Required

avatar joomla-cms-bot joomla-cms-bot - change - 16 Aug 2017
Category Administration com_installer Language & Strings Front End Plugins
avatar NunoLopes96 NunoLopes96 - open - 16 Aug 2017
avatar NunoLopes96 NunoLopes96 - change - 16 Aug 2017
Status New Pending
avatar NunoLopes96 NunoLopes96 - change - 16 Aug 2017
Title
Checksum extensions
[4.0] Checksum extensions - GSoC Expand Extensions Manager
avatar NunoLopes96 NunoLopes96 - edited - 16 Aug 2017
avatar NunoLopes96 NunoLopes96 - change - 17 Aug 2017
Labels Added: Language Change PR-4.0-dev
avatar alikon
alikon - comment - 19 Aug 2017

a light port to 3.8 #17619

avatar bembelimen
bembelimen - comment - 25 Aug 2017

Perhaps I did not understand the patch, but what problem do you want to fix with this PR?

Which scenario does now have a better protection with this PR?

Edit: to concretize my question: in which cases do the hashs differ?
Edit2: I guess it should protect from hacked files? How do you make sure, that the hash itself is valid?

avatar brianteeman
brianteeman - comment - 25 Aug 2017

The provided hash lets you double-check that the file you downloaded was not corrupted accidentally in transit, or that the file you downloaded from another source (a faster mirror or github etc) is the same as the file available for download at the original website where the hash is published

avatar wilsonge
wilsonge - comment - 19 Nov 2017
  1. Can we fix conflicts please :)
  2. The bad checksum extension still installs (we talked about this after the panel - all the checksums in that file aren't the ones you check for)

Add a Comment

Login with GitHub to post a comment