maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Fix autoupdate against HTTP MITM and MD5 collisions

Browse Source
This commit is contained in:
Johannes Feichtner
2016-02-23 21:52:35 +01:00
parent 2e0cb5050f
commit 75172f9e8d
2 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
admin_autoupdate.php
View File

@@ -22,9 +22,9 @@ define('AREA', 'admin');
require './lib/init.php'; require './lib/init.php';
// define update-uri // define update-uri
define('UPDATE_URI', "http://version.froxlor.org/Froxlor/legacy/" . $version); define('UPDATE_URI', "https://version.froxlor.org/Froxlor/legacy/" . $version);
define('RELEASE_URI', "http://autoupdate.froxlor.org/froxlor-{version}.zip"); define('RELEASE_URI', "https://autoupdate.froxlor.org/froxlor-{version}.zip");
define('MD5SUM_URI', "http://autoupdate.froxlor.org/froxlor-{version}.zip.md5"); define('CHECKSUM_URI', "https://autoupdate.froxlor.org/froxlor-{version}.zip.sha256");
// check for allow_url_fopen // check for allow_url_fopen
if (ini_get('allow_url_fopen') === false) { if (ini_get('allow_url_fopen') === false) {
@@ -105,7 +105,7 @@ elseif ($page == 'getdownload') {
// define files to get // define files to get
$toLoad = str_replace('{version}', $newversion, RELEASE_URI); $toLoad = str_replace('{version}', $newversion, RELEASE_URI);
$toCheck = str_replace('{version}', $newversion, MD5SUM_URI); $toCheck = str_replace('{version}', $newversion, CHECKSUM_URI);
// get archive data // get archive data
$newArchive = @file_get_contents($toLoad); $newArchive = @file_get_contents($toLoad);
@@ -134,7 +134,7 @@ elseif ($page == 'getdownload') {
// close file-handle // close file-handle
fclose($fh); fclose($fh);
// validate MD5 // validate the integrity of the downloaded file
$_shouldsum = @file_get_contents($toCheck); $_shouldsum = @file_get_contents($toCheck);
if (!empty($_shouldsum)) { if (!empty($_shouldsum)) {
$_t = explode(" ", $_shouldsum); $_t = explode(" ", $_shouldsum);
@@ -142,7 +142,7 @@ elseif ($page == 'getdownload') {
} else { } else {
$shouldsum = null; $shouldsum = null;
} }
$filesum = md5_file($localArchive); $filesum = hash_file('sha256', $localArchive);
if ($filesum != $shouldsum) { if ($filesum != $shouldsum) {
redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 9)); redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 9));
@@ -204,6 +204,6 @@ elseif ($page == 'error') {
// 6 = download without valid version // 6 = download without valid version
// 7 = local archive does not exist // 7 = local archive does not exist
// 8 = could not extract archive // 8 = could not extract archive
// 9 = md5 mismatch // 9 = checksum mismatch
standard_error ('autoupdate_'.$errno); standard_error ('autoupdate_'.$errno);
} }

6
lng/english.lng.php
View File

@@ -1954,14 +1954,14 @@ $lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>The SSL redirect is t
$lng['admin']['autoupdate'] = 'Auto-Update'; $lng['admin']['autoupdate'] = 'Auto-Update';
$lng['error']['customized_version'] = 'It looks like your Froxlor installation has been customized, no support sorry.'; $lng['error']['customized_version'] = 'It looks like your Froxlor installation has been customized, no support sorry.';
$lng['error']['autoupdate_0'] = 'Unknown error'; $lng['error']['autoupdate_0'] = 'Unknown error';
$lng['error']['autoupdate_1'] = 'PHP setting allow_url_fopen is disabled. Autoupdate needs this setting to be enabled in the php.ini'; $lng['error']['autoupdate_1'] = 'PHP setting allow_url_fopen is disabled. Autoupdate needs this setting to be enabled in php.ini';
$lng['error']['autoupdate_2'] = 'PHP extension Zlib not found, please ensure it is installed and activated'; $lng['error']['autoupdate_2'] = 'PHP extension Zlib not found, please ensure it is installed and activated';
$lng['error']['autoupdate_4'] = 'The froxlor archive could not be stored to the disk :('; $lng['error']['autoupdate_4'] = 'The froxlor archive could not be stored to the disk :(';
$lng['error']['autoupdate_5'] = 'version.froxlor.org returned inacceptable values :('; $lng['error']['autoupdate_5'] = 'version.froxlor.org returned inacceptable values :(';
$lng['error']['autoupdate_6'] = 'Woops, there was no (valid) version given to download :('; $lng['error']['autoupdate_6'] = 'Woops, there was no (valid) version given to download :(';
$lng['error']['autoupdate_7'] = 'The downloaded archive could not be found :('; $lng['error']['autoupdate_7'] = 'The downloaded archive could not be found :(';
$lng['error']['autoupdate_8'] = 'The archive could not be extraxted :('; $lng['error']['autoupdate_8'] = 'The archive could not be extracted :(';
$lng['error']['autoupdate_9'] = 'The MD5 sum of the downloaded file is not correct. Please try to update again.'; $lng['error']['autoupdate_9'] = 'The downloaded file did not pass the integrity check. Please try to update again.';
$lng['admin']['server_php'] = 'PHP'; $lng['admin']['server_php'] = 'PHP';