clones/Froxlor
1
0
Fork 0
mirror of https://github.com/Froxlor/Froxlor.git synced 2024-09-21 10:27:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix autoupdate against HTTP MITM and MD5 collisions

Browse Source
This commit is contained in:
Johannes Feichtner 2016-02-23 21:52:35 +01:00
parent 2e0cb5050f
commit 75172f9e8d
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
admin_autoupdate.php
View File

@ -22,9 +22,9 @@ define('AREA', 'admin');
require './lib/init.php';
// define update-uri
define('UPDATE_URI', "http://version.froxlor.org/Froxlor/legacy/" . $version);
define('RELEASE_URI', "http://autoupdate.froxlor.org/froxlor-{version}.zip");
define('MD5SUM_URI', "http://autoupdate.froxlor.org/froxlor-{version}.zip.md5");
define('UPDATE_URI', "https://version.froxlor.org/Froxlor/legacy/" . $version);
define('RELEASE_URI', "https://autoupdate.froxlor.org/froxlor-{version}.zip");
define('CHECKSUM_URI', "https://autoupdate.froxlor.org/froxlor-{version}.zip.sha256");
// check for allow_url_fopen
if (ini_get('allow_url_fopen') === false) {
@ -105,8 +105,8 @@ elseif ($page == 'getdownload') {
// define files to get
$toLoad = str_replace('{version}', $newversion, RELEASE_URI);
$toCheck = str_replace('{version}', $newversion, MD5SUM_URI);
$toCheck = str_replace('{version}', $newversion, CHECKSUM_URI);
// get archive data
$newArchive = @file_get_contents($toLoad);
@ -133,8 +133,8 @@ elseif ($page == 'getdownload') {
// close file-handle
fclose($fh);
// validate MD5
// validate the integrity of the downloaded file
$_shouldsum = @file_get_contents($toCheck);
if (!empty($_shouldsum)) {
$_t = explode(" ", $_shouldsum);
@ -142,8 +142,8 @@ elseif ($page == 'getdownload') {
} else {
$shouldsum = null;
}
$filesum = md5_file($localArchive);
$filesum = hash_file('sha256', $localArchive);
if ($filesum != $shouldsum) {
redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 9));
}
@ -204,6 +204,6 @@ elseif ($page == 'error') {
// 6 = download without valid version
// 7 = local archive does not exist
// 8 = could not extract archive
// 9 = md5 mismatch
// 9 = checksum mismatch
standard_error ('autoupdate_'.$errno);
}

6
lng/english.lng.php
View File

@ -1954,14 +1954,14 @@ $lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>The SSL redirect is t
$lng['admin']['autoupdate'] = 'Auto-Update';
$lng['error']['customized_version'] = 'It looks like your Froxlor installation has been customized, no support sorry.';
$lng['error']['autoupdate_0'] = 'Unknown error';
$lng['error']['autoupdate_1'] = 'PHP setting allow_url_fopen is disabled. Autoupdate needs this setting to be enabled in the php.ini';
$lng['error']['autoupdate_1'] = 'PHP setting allow_url_fopen is disabled. Autoupdate needs this setting to be enabled in php.ini';
$lng['error']['autoupdate_2'] = 'PHP extension Zlib not found, please ensure it is installed and activated';
$lng['error']['autoupdate_4'] = 'The froxlor archive could not be stored to the disk :(';
$lng['error']['autoupdate_5'] = 'version.froxlor.org returned inacceptable values :(';
$lng['error']['autoupdate_6'] = 'Woops, there was no (valid) version given to download :(';
$lng['error']['autoupdate_7'] = 'The downloaded archive could not be found :(';
$lng['error']['autoupdate_8'] = 'The archive could not be extraxted :(';
$lng['error']['autoupdate_9'] = 'The MD5 sum of the downloaded file is not correct. Please try to update again.';
$lng['error']['autoupdate_8'] = 'The archive could not be extracted :(';
$lng['error']['autoupdate_9'] = 'The downloaded file did not pass the integrity check. Please try to update again.';
$lng['admin']['server_php'] = 'PHP';