? ? Failure

User tests: Successful: Unsuccessful:

avatar NunoLopes96
NunoLopes96
16 Aug 2017

Introduction

Currently there is no security when downloading files from update sites or uploading a package, with this feature the main goal is to make sure that only the original files are downloaded and installed by checking the integrity of the package(SHA256, SHA1 and MD5 Hashes), lowering the risk of getting infected files that can risk the user.

Summary of Changes

This verification will only be made for installing packages from URL or uploading a package file in the Install view, this is how the process of verification will happen:
screenshot from 2017-08-08 16-53-23
(note: I forgot to place the SHA-256 hash here)

Testing Instructions

We will have 3 packages to test:

Package with the correct hashes in the update server manifest:
component_joomla.zip

Here is the update server manifest:
https://www.jah-tz.de/downloads/core/gsoc17/extension.xml

Package with the wrong hashes:
component_joomla_wrong_checksum.zip

I remember here that without the Force Install checked you won't install the extension

Update server manifest:
https://www.jah-tz.de/downloads/core/gsoc17/extension_wrong_hash.xml

Package without hashes:
component_joomla_no_checksum.zip

Update server manifest:
https://www.jah-tz.de/downloads/core/gsoc17/extension_no_chechsum.xml

Expected result

Case 1 - File Checksum OK:
A success message when the checksums are equal

Case 2 - File Checksum Failed:
A danger message when the checksums are not equal and the user does not want to force the installation, redirecting back to the view without installing the extension

Case 3 - File Checksum Failed but user wants to force install:
There will be a checkbox on the upload package and install from URL tab where the user can check if he really wants to install the extension even if the Checksum fails.
A warning if the checksum fails will appear.

Case 4 - No checksum found:
If the extension has no update site or no checksums (MD5, SHA1 or SHA256 tags) are showed in the update site manifest a warning should appear to make sure the users know that no security verification was provided in the extension package.
A info message will appear that no Hashes are available.

Actual result

Currently there is no security or information related to this

Documentation Changes Required

avatar joomla-cms-bot joomla-cms-bot - change - 16 Aug 2017
Category Administration com_installer Language & Strings Front End Plugins
avatar NunoLopes96 NunoLopes96 - open - 16 Aug 2017
avatar NunoLopes96 NunoLopes96 - change - 16 Aug 2017
Status New Pending
avatar NunoLopes96 NunoLopes96 - change - 16 Aug 2017
Title
Checksum extensions
[4.0] Checksum extensions - GSoC Expand Extensions Manager
avatar NunoLopes96 NunoLopes96 - change - 16 Aug 2017
Title
Checksum extensions
[4.0] Checksum extensions - GSoC Expand Extensions Manager
avatar NunoLopes96 NunoLopes96 - edited - 16 Aug 2017
avatar NunoLopes96 NunoLopes96 - change - 17 Aug 2017
Labels Added: ? ?
avatar alikon
alikon - comment - 19 Aug 2017

a light port to 3.8 #17619

avatar brianteeman
brianteeman - comment - 25 Aug 2017

The provided hash lets you double-check that the file you downloaded was not corrupted accidentally in transit, or that the file you downloaded from another source (a faster mirror or github etc) is the same as the file available for download at the original website where the hash is published

avatar wilsonge
wilsonge - comment - 19 Nov 2017
  1. Can we fix conflicts please :)
  2. The bad checksum extension still installs (we talked about this after the panel - all the checksums in that file aren't the ones you check for)
avatar franz-wohlkoenig franz-wohlkoenig - change - 11 Apr 2019
Category Administration com_installer Language & Strings Front End Plugins Administration com_installer Front End Plugins
avatar schultz-it-solutions
schultz-it-solutions - comment - 15 Apr 2019

The Update Server manifests seem to no longer exist
https://www.jah-tz.de/downloads/core/gsoc17/extension.xml

Could you please direct me to an example (or description) of the changes in the manifest.

avatar sanderpotjer
sanderpotjer - comment - 5 May 2019

@roland-d while working on the extension manager features, can you please update this PR as well (or create a new one).

avatar roland-d roland-d - assigned - 5 May 19
avatar uglyeoin
uglyeoin - comment - 19 Oct 2019

Have @wilsonge comments been taken account of? Is this ready to test yet?

avatar wilsonge
wilsonge - comment - 19 Oct 2019

No no use in testing this right now.

avatar roland-d
roland-d - comment - 1 Aug 2020

This can be closed and picked up in another PR if someone is interested.

avatar roland-d roland-d - change - 1 Aug 2020
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2020-08-01 15:23:13
Closed_By roland-d
avatar roland-d roland-d - close - 1 Aug 2020
avatar joomla-cms-bot joomla-cms-bot - change - 1 Aug 2020
Category Administration com_installer Front End Plugins Administration com_installer Language & Strings Front End Plugins

Add a Comment

Login with GitHub to post a comment