[#17632] - light checksum for joomlaupdate
- Fixed in Code Base
- 17 Mar 2018
- Medium
- Build: staging
- # 17632
- Diff
- alikon:patch-92
User tests: Successful: Unsuccessful:
...from #17619 (comment)
add light checksum for joomla update
Summary of Changes
trigger the checksum check on update
if the update server manifest have an hash tag
Testing Instructions
- start with latest staging (for time of writing) version 3.8.0-beta5
- apply pr #17619
- in order to simulate a joomlaupdate
-
- run
php bump version 3.8.0-beta4(i.e one version before)
- run
- set Update channel to custom URL for example (http://localhost/test/list_testpr17632.xml)
- create that file with something like this content
<extensionset name="Joomla Core Test Updateserver" description="The Joomla Core Update Server for Tests of Alpha, Beta and RC Releases">
<extension name="Joomla" element="joomla" type="file" version="3.8.0-beta4" targetplatformversion="3.8" detailsurl="http://localhost/test/extension_testpr17632.xml" />
</extensionset>- create http://localhost/test/extension_testpr17632.xml with something like this content
<?xml version="1.0" ?>
<updates>
<update>
<name>Joomla! 3.8</name>
<description>Joomla! 3.8 CMS</description>
<element>joomla</element>
<type>file</type>
<version>3.8.0-beta4</version>
<infourl title="Joomla!">https://www.joomla.org</infourl>
<downloads>
<downloadurl type="full" format="zip">http://localhost/test/Joomla_pr17632-Update_Package.zip</downloadurl>
</downloads>
<tags>
<tag>stable</tag>
</tags>
<maintainer>Joomla! PLT</maintainer>
<maintainerurl>https://www.joomla.org</maintainerurl>
<targetplatform name="joomla" version="3.[3456789]"/>
<php_minimum>5.3.10</php_minimum>
</update>
</updates>
-
download the last joomla update package for example https://github.com/joomla/joomla-cms/releases/download/3.8.0-beta4/Joomla_3.8.0-beta4-Beta-Update_Package.zip
-
copy & rename accordingly on the previous
downloadurltag (for exampleJoomla_pr17632-Update_Package.zip -
Go to Components -> Joomla! Updates
you shoud see something like
Test case 1 - no checksum hashtag in the update server manifest
Expected result
a notice is showed
to test the next 2 cases we need to :
- calculate the hash value (for example sha256)
- -(on linux) run
sha256sum Joomla_pr17632-Update_Package.zip
Test case 2 - correct checksum hashtag in the update server manifest
- add a
<sha256>correcthashvalue</sha256>tag in the current update server instance something like:
Expected result
a info is showed
Test case 3 - wrong checksum hashtag in the update server manifest
- add a
<sha256>wronghashvalue</sha256>tag in the current update server instance
Expected result
a warning is showed
Documentation Changes Required
new tags :
<sha256></sha256><sha384></sha384><sha512></sha512>
joomla-cms-bot
- | Category | ⇒ | Administration com_joomlaupdate Language & Strings |
| Status | New | ⇒ | Pending |
Personally I'd rather not support SHA1 and MD5 since they are weak. If SHA256 doesn't have the same weaknesses then that'd be fine.
should we consider to add sha512 "longer is better" ?
should we consider to add sha512 "longer is better" ?
Sounds good. ;)
@alikon detailed the steps to create list.xml and extension_sts.xml.... so I guess he was thinking to enter the Url on the "Custom URL" field.
In "Joomla Update", you have "Options", where you can play with "Update Channel"
For testing, you can change it to a "Custom URL".
@anibalsanchez , @NunoLopes96
added more clear test info ;)
@anibalsanchez , @NunoLopes96 are Test Info @alikon suggested unclear?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.
It is OK for me.
@anibalsanchez can i alter above Comment as successfully Test?
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.
Test OK
My notes:
- Apply PR #17619 AND PR #17632
- I tested updating from 3.8.0 to 3.8.1
- After every test, Joomla is updated... so the patches have to be re-applied for the next test
These are my xmls:
list_testpr17632.xml
<extensionset name="Joomla Core Test Updateserver" description="The Joomla Core Update Server for Tests of Alpha, Beta and RC Releases">
<extension name="Joomla" element="joomla" type="file" version="3.8.1" targetplatformversion="3.8" detailsurl="http://local-server.extly.com/j38/extension_testpr17632.xml" />
</extensionset>
extension_testpr17632.xml
<?xml version="1.0" ?>
<updates>
<update>
<name>Joomla! 3.8</name>
<description>Joomla! 3.8 CMS</description>
<element>joomla</element>
<type>file</type>
<version>3.8.1</version>
<infourl title="Joomla!">https://www.joomla.org</infourl>
<downloads>
<downloadurl type="full" format="zip">http://local-server.extly.com/j38/Joomla_pr17632-Update_Package.zip</downloadurl>
</downloads>
<tags>
<tag>stable</tag>
</tags>
<sha256>e8339bed3cbba5eebb7d355e026d29594ec164420beebe97839b0019b630ed96</sha256>
<maintainer>Joomla! PLT</maintainer>
<maintainerurl>https://www.joomla.org</maintainerurl>
<targetplatform name="joomla" version="3.[3456789]"/>
<php_minimum>5.3.10</php_minimum>
</update>
</updates>
I have tested this item
Great Work !!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.
@NunoLopes96 just a follow up from your work at Joomla GSoC 17 project https://github.com/joomla-projects/gsoc17_expand_extension_manager
| Status | Pending | ⇒ | Ready to Commit |
RTC after two successful tests.
| Title |
|
||||||
@brianteeman Please retag for v3.9.0. Darn bot!
| Labels |
Added:
?
?
?
|
||
conflict solved
| Category | Administration com_joomlaupdate Language & Strings | ⇒ | Administration com_admin com_joomlaupdate Language & Strings Installation |
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-03-17 15:51:35 |
| Closed_By | ⇒ | mbabker | |
| Labels |
Added:
?
Removed: ? |
||
@mbabker can we have your final words on the algos as SHA1 and MD5 are very well known to be weak. Expecial as the core should provide a more secure algo.