Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

light checksum for joomlaupdate #17632

Merged
merged 7 commits into from Mar 17, 2018

Conversation

Projects
None yet
10 participants
@alikon
Copy link
Contributor

alikon commented Aug 20, 2017

...from #17619 (comment)
add light checksum for joomla update

Summary of Changes

trigger the checksum check on update
if the update server manifest have an hash tag

Testing Instructions

  • start with latest staging (for time of writing) version 3.8.0-beta5
  • apply pr #17619
  • in order to simulate a joomlaupdate
    • run php bump version 3.8.0-beta4 (i.e one version before)
  • set Update channel to custom URL for example (http://localhost/test/list_testpr17632.xml)
  • create that file with something like this content
<extensionset name="Joomla Core Test Updateserver" description="The Joomla Core Update Server for Tests of Alpha, Beta and RC Releases">
 <extension name="Joomla" element="joomla" type="file" version="3.8.0-beta4" targetplatformversion="3.8" detailsurl="http://localhost/test/extension_testpr17632.xml" />
</extensionset>
<?xml version="1.0" ?>
<updates>
	<update>
		<name>Joomla! 3.8</name>
		<description>Joomla! 3.8 CMS</description>
		<element>joomla</element>
		<type>file</type>
		<version>3.8.0-beta4</version>
		<infourl title="Joomla!">https://www.joomla.org</infourl>
		<downloads>
			<downloadurl type="full" format="zip">http://localhost/test/Joomla_pr17632-Update_Package.zip</downloadurl>
		</downloads>
		<tags>
			<tag>stable</tag>
		</tags>
		<maintainer>Joomla! PLT</maintainer>
		<maintainerurl>https://www.joomla.org</maintainerurl>
		<targetplatform name="joomla" version="3.[3456789]"/>
		<php_minimum>5.3.10</php_minimum>
	</update>
</updates>

Test case 1 - no checksum hashtag in the update server manifest

Expected result

a notice is showed

screenshot from 2017-09-02 09-08-18

to test the next 2 cases we need to :

  • calculate the hash value (for example sha256)
  • -(on linux) run sha256sum Joomla_pr17632-Update_Package.zip
    screenshot from 2017-09-02 09-27-09

Test case 2 - correct checksum hashtag in the update server manifest

  • add a <sha256>correcthashvalue</sha256> tag in the current update server instance something like:

screenshot from 2017-09-02 09-30-38

Expected result

a info is showed
screenshot from 2017-09-02 09-37-45

Test case 3 - wrong checksum hashtag in the update server manifest

  • add a <sha256>wronghashvalue</sha256> tag in the current update server instance

Expected result

a warning is showed

screenshot from 2017-09-02 09-40-32

Documentation Changes Required

new tags :

  • <sha256></sha256>
  • <sha384></sha384>
  • <sha512></sha512>

alikon added some commits Aug 20, 2017

[3.8] - checksum joomlaupdate light
add light checksum to joomlaupdate
model
model
lang
lang string
@zero-24

This comment has been minimized.

Copy link
Contributor

zero-24 commented Aug 20, 2017

@mbabker can we have your final words on the algos as SHA1 and MD5 are very well known to be weak. Expecial as the core should provide a more secure algo.

@mbabker

This comment has been minimized.

Copy link
Member

mbabker commented Aug 20, 2017

Personally I'd rather not support SHA1 and MD5 since they are weak. If SHA256 doesn't have the same weaknesses then that'd be fine.

@alikon

This comment has been minimized.

Copy link
Contributor Author

alikon commented Aug 21, 2017

ok now #17619 support only sha256

@alikon

This comment has been minimized.

Copy link
Contributor Author

alikon commented Aug 21, 2017

should we consider to add sha512 "longer is better" ?

@zero-24

This comment has been minimized.

Copy link
Contributor

zero-24 commented Aug 21, 2017

should we consider to add sha512 "longer is better" ?

Sounds good. ;)

@anibalsanchez

This comment has been minimized.

Copy link
Contributor

anibalsanchez commented Aug 30, 2017

@alikon detailed the steps to create list.xml and extension_sts.xml.... so I guess he was thinking to enter the Url on the "Custom URL" field.

In "Joomla Update", you have "Options", where you can play with "Update Channel"
For testing, you can change it to a "Custom URL".

@alikon

This comment has been minimized.

Copy link
Contributor Author

alikon commented Sep 2, 2017

@anibalsanchez , @NunoLopes96
added more clear test info ;)

@franz-wohlkoenig

This comment has been minimized.

Copy link

franz-wohlkoenig commented Nov 1, 2017

@anibalsanchez , @NunoLopes96 are Test Info @alikon suggested unclear?


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.

@anibalsanchez

This comment has been minimized.

Copy link
Contributor

anibalsanchez commented Nov 1, 2017

It is OK for me.

@franz-wohlkoenig

This comment has been minimized.

Copy link

franz-wohlkoenig commented Nov 1, 2017

@anibalsanchez can i alter above Comment as successfully Test?

@anibalsanchez

This comment has been minimized.

Copy link
Contributor

anibalsanchez commented Nov 3, 2017

I have tested this item successfully on f61f6ab


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.

@anibalsanchez

This comment has been minimized.

Copy link
Contributor

anibalsanchez commented Nov 3, 2017

Test OK

My notes:

  • Apply PR #17619 AND PR #17632
  • I tested updating from 3.8.0 to 3.8.1
  • After every test, Joomla is updated... so the patches have to be re-applied for the next test

These are my xmls:

list_testpr17632.xml

<extensionset name="Joomla Core Test Updateserver" description="The Joomla Core Update Server for Tests of Alpha, Beta and RC Releases">
 <extension name="Joomla" element="joomla" type="file" version="3.8.1" targetplatformversion="3.8" detailsurl="http://local-server.extly.com/j38/extension_testpr17632.xml" />
</extensionset>

extension_testpr17632.xml

<?xml version="1.0" ?>
<updates>
	<update>
		<name>Joomla! 3.8</name>
		<description>Joomla! 3.8 CMS</description>
		<element>joomla</element>
		<type>file</type>
		<version>3.8.1</version>
		<infourl title="Joomla!">https://www.joomla.org</infourl>
		<downloads>
			<downloadurl type="full" format="zip">http://local-server.extly.com/j38/Joomla_pr17632-Update_Package.zip</downloadurl>
		</downloads>
		<tags>
			<tag>stable</tag>
		</tags>
		<sha256>e8339bed3cbba5eebb7d355e026d29594ec164420beebe97839b0019b630ed96</sha256>
		<maintainer>Joomla! PLT</maintainer>
		<maintainerurl>https://www.joomla.org</maintainerurl>
		<targetplatform name="joomla" version="3.[3456789]"/>
		<php_minimum>5.3.10</php_minimum>
	</update>
</updates>
@NunoLopes96

This comment has been minimized.

Copy link

NunoLopes96 commented Nov 10, 2017

I have tested this item successfully on f61f6ab

Great Work !!


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17632.

n3
n1
n2

@alikon

This comment has been minimized.

Copy link
Contributor Author

alikon commented Nov 10, 2017

@NunoLopes96 just a follow up from your work at Joomla GSoC 17 project https://github.com/joomla-projects/gsoc17_expand_extension_manager

@franz-wohlkoenig

This comment has been minimized.

Copy link

franz-wohlkoenig commented Nov 11, 2017

RTC after two successful tests.

@joomla-cms-bot joomla-cms-bot added the RTC label Nov 11, 2017

@mbabker mbabker added this to the Joomla 3.9.0 milestone Nov 24, 2017

@joomla-cms-bot joomla-cms-bot changed the title [3.8] - light checksum for joomlaupdate light checksum for joomlaupdate Dec 22, 2017

@joomla-cms-bot joomla-cms-bot removed the RTC label Dec 22, 2017

@joomla-cms-bot joomla-cms-bot removed this from the Joomla 3.9.0 milestone Dec 22, 2017

@Quy

This comment has been minimized.

Copy link
Contributor

Quy commented Feb 15, 2018

@brianteeman Please retag for v3.9.0. Darn bot!

Bakual and others added some commits Mar 9, 2018

@alikon

This comment has been minimized.

Copy link
Contributor Author

alikon commented Mar 12, 2018

conflict solved

@mbabker mbabker changed the base branch from staging to 3.9-dev Mar 17, 2018

@mbabker mbabker removed the PR-staging label Mar 17, 2018

@mbabker mbabker merged commit 93c8b8f into joomla:3.9-dev Mar 17, 2018

1 of 4 checks passed

continuous-integration/drone/pr the build failed
Details
continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
hound No violations found. Woof!

@joomla-cms-bot joomla-cms-bot removed the RTC label Mar 17, 2018

@alikon alikon deleted the alikon:patch-92 branch Mar 18, 2018

zero-24 added a commit to zero-24/joomla that referenced this pull request Apr 7, 2018

mbabker added a commit to mbabker/joomla-cms that referenced this pull request May 12, 2018

light checksum for joomlaupdate (joomla#17632)
* [3.8] - checksum joomlaupdate light

add light checksum to joomlaupdate

* model

model

* lang

lang string

* Update spanish installation language (joomla#19878)

* implement check provided by @ggppdk (joomla#19791)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.