[#35302] - Commercial updates with extra_query key fail by checksum
- Closed
- 23 Aug 2021
- Medium
- Build: 4.0-dev
- # 35302
Hi all,
since J4 will use the checksum whil updating an extension, the current implementation runs in a problem cause before the update is downloaded, Joomla will re-request the manifest file. The problem is, that this is done without the extra_query key attached, wich results in a manifest file for non-commercial updates (with different checksum).
After the request of the manifest, the updater requests the download with the extra_query key. At this point, there is a sha256 checksum for a free extension and a downloaded commercial zip with other checksum.
Finally the update fails with: "The checksum verification failed. Please make sure you are using the correct update server!"
Solution:
` public function update($uids, $minimumStability = Updater::STABILITY_STABLE)
{
$result = true;
foreach ($uids as $uid)
{
$update = new Update;
$instance = new \Joomla\CMS\Table\Update($this->getDbo());
if (!$instance->load($uid))
{
// Update no longer available, maybe already updated by a package.
continue;
}
Append the key for the manifest request also.
Kind regards
Christian
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
There is no reason why the key is not appended to the request at that stage.
Different update sreams can't be a solution, since the key is used to identify a valid update of a paying customer. Without the key, you just have to use the update link, regardless if you are allowed to update or not. Not a solution.
If by adding a download Id you get different hashes, then you are distributing different products. If the products were the same the hashes would be equal. Two different products should have two different update streams.
Maybe I can't see it but even with different streams the problem persists.
Look:
- Joomla looks if an updat is availabel: + key
-> mainfest file with the commercial update is sent. - Joomla requests for the update package.
-
- step: no key
-> update server sees no key, so he will fallback to free version
- step: no key
-
- step: for package (given in the previous request) with key
-> update server sees a key, so he will send the commerial version
- step: for package (given in the previous request) with key
-
- Error with missmatch of sha
-
Without the use of a key, the manifest file will point to the last commercial version available, regardless of the user is allowed or not.
Assuming this, the updater will work since the sha hashes are equal.
Now, the user is no longer allowed to update (end of subscription). Since the key is not in use, he will always get the latest version, cause the update server did not know that he is no longer allowed to update. And there is more to note. Everybody is able to share the update urls and get the packages for free.
At J3 times, this was not a problem cause J3 does not checked against the manifest. Since J4 will check the sha, the manifest has to be the correct one for free/ commercial updates.
Do you see the point?
You fundamentally misunderstand how download ids are meant to be used.
If no id is provided you should return a 403 Forbidden when Joomla attempts to download the commercial licensed zip file specified in the xml.
Take a look at the reference product which would be Akeeba Backup Professional and how com_ars (akeeba release system) works.
Yes it would be easy to add the download id to the xml, but this is not how the whole process was designed to work.
We will see... If I am right, this problem will be seen from many third parties ;-)
It's not a problem of sending the zip or 403, its the problem explained above...
alikon
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-08-23 07:18:51 |
| Closed_By | ⇒ | alikon |
You fundamentally misunderstand how download ids are meant to be used.
If no id is provided you should return a 403 Forbidden when Joomla attempts to download the commercial licensed zip file specified in the xml.
Take a look at the reference product which would be Akeeba Backup Professional and how com_ars (akeeba release system) works.
Yes it would be easy to add the download id to the xml, but this is not how the whole process was designed to work.
Phil is (IMO) right: download key is used to authorize a download (because automated downloading cannot use username / password).
This is also how ochSubscriptions (for offering downloads) works.
An extension is either paid for or free: these are two versions with their own manifest file and update servers.
If you can download a commercial version without a download key / login in just by following a URL then your distribution extension does not have it's security / authorization in order.
@sanus70 what extension are you using for distributing?
Hmmm... maybe you should use different update streams for different licensed products? One for free and one for commercial?