Skip to content

Commit

Permalink
Use sha256 instead of md5 for file integrity checks (#22602)
Browse files Browse the repository at this point in the history
* use sha256 instead of md5 for file integrity checks

* apply review feedback

* updates expected UI test files
  • Loading branch information
sgiehl authored Sep 20, 2024
1 parent 15bbb30 commit 18513d6
Show file tree
Hide file tree
Showing 55 changed files with 64 additions and 64 deletions.
6 changes: 3 additions & 3 deletions .github/scripts/build-package.sh
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,9 @@ function checkEnv() {
die "Cannot find zip"
fi

if [ ! -x "/usr/bin/md5sum" ] && [ ! -x "$(which md5sum)" ]
if [ ! -x "/usr/bin/sha256sum" ] && [ ! -x "$(which sha256sum)" ]
then
die "Cannot find md5sum"
die "Cannot find sha256sum"
fi
}

Expand Down Expand Up @@ -123,7 +123,7 @@ function organizePackage() {
rm -rf misc/package/
fi

find ./ -type f -printf '%s ' -exec md5sum {} \; \
find ./ -type f -printf '%s ' -exec sha256sum {} \; \
| grep -v "user/.htaccess" \
| egrep -v 'manifest.inc.php|vendor/autoload.php|vendor/composer/autoload_real.php' \
| sed '1,$ s/\([0-9]*\) \([a-z0-9]*\) *\.\/\(.*\)/\t\t"\3" => array("\1", "\2"),/;' \
Expand Down
13 changes: 6 additions & 7 deletions core/FileIntegrity.php
Original file line number Diff line number Diff line change
Expand Up @@ -332,9 +332,8 @@ protected static function isFileNotInManifestButExpectedAnyway($file)
protected static function getMessagesFilesMismatch($messages)
{
$messagesMismatch = array();
$hasMd5file = function_exists('md5_file');
$hasHashFile = function_exists('hash_file');
$files = \Piwik\Manifest::$files;
$hasMd5 = function_exists('md5');
foreach ($files as $path => $props) {
$file = PIWIK_INCLUDE_PATH . '/' . $path;

Expand All @@ -345,7 +344,7 @@ protected static function getMessagesFilesMismatch($messages)
continue;
}

if (!$hasMd5 || in_array(substr($path, -4), array('.gif', '.ico', '.jpg', '.png', '.swf'))) {
if (in_array(substr($path, -4), array('.gif', '.ico', '.jpg', '.png', '.swf'))) {
// files that contain binary data (e.g., images) must match the file size
$messagesMismatch[] = Piwik::translate('General_ExceptionFilesizeMismatch', array($file, $props[0], filesize($file)));
} else {
Expand All @@ -354,12 +353,12 @@ protected static function getMessagesFilesMismatch($messages)
$content = str_replace("\r\n", "\n", $content);
if (
(strlen($content) != $props[0])
|| (@md5($content) !== $props[1])
|| (@hash('sha256', $content) !== $props[1])
) {
$messagesMismatch[] = Piwik::translate('General_ExceptionFilesizeMismatch', array($file, $props[0], filesize($file)));
}
}
} elseif ($hasMd5file && (@md5_file($file) !== $props[1])) {
} elseif ($hasHashFile && (@hash_file('sha256', $file) !== $props[1])) {
if (self::isModifiedPathValid($path)) {
continue;
}
Expand All @@ -368,8 +367,8 @@ protected static function getMessagesFilesMismatch($messages)
}
}

if (!$hasMd5file) {
$messages[] = Piwik::translate('General_WarningFileIntegrityNoMd5file');
if (!$hasHashFile) {
$messages[] = Piwik::translate('General_WarningFileIntegrityNoHashFile');
}

if (!empty($messagesMismatch)) {
Expand Down
2 changes: 1 addition & 1 deletion lang/ar.json
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,7 @@
"Warning": "تنبيه",
"WarningFileIntegrityNoManifest": "لم يمكن إجراء فحص سلامة الملفات بسبب فقد ملف manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "هذه الرسالة طبيعية إن كنت تنشر Matomo من Git .",
"WarningFileIntegrityNoMd5file": "لم يمكن إتمام فحص سلامة الملفات بسبب فقد دالة md5_file().",
"WarningFileIntegrityNoHashFile": "لم يمكن إتمام فحص سلامة الملفات بسبب فقد دالة hash_file().",
"WarningPasswordStored": "%1$sتنبيه:%2$s سيتم حفظ كلمة المرور هذه في ملف الإعدادات وظاهرة لأياً كان ممن يمكنه الوصول إليه.",
"Website": "الموقع",
"Weekly": "أسبوعي",
Expand Down
2 changes: 1 addition & 1 deletion lang/be.json
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@
"VisitsWith": "Наведванняў з %s",
"Warning": "Увага",
"WarningFileIntegrityNoManifest": "Праверка цэласнасці файлаў не можа быць выканана з-за адсутнасці файла manifest.inc.php.",
"WarningFileIntegrityNoMd5file": "Праверка цэласнасці файлаў не можа быць завершана з-за адсутнасці md5_file () функцыі.",
"WarningFileIntegrityNoHashFile": "Праверка цэласнасці файлаў не можа быць завершана з-за адсутнасці hash_file() функцыі.",
"WarningPasswordStored": "%1$sWarning:%2$s Гэты пароль будзе захаваны ў файле канфігурацыі, ен будзе бачным ўсім, хто мае да яго доступ.",
"Website": "Сайт",
"Weekly": "Штотыдзень",
Expand Down
2 changes: 1 addition & 1 deletion lang/bg.json
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "В момента използвате Matomo в режим на разработка, но Matomo не е инсталирано чрез git. Не се препоръчва използването на Matomo в режим на разработка в производствена среда.",
"WarningFileIntegrityNoManifest": "Цялостната проверка на файла не може да бъде изпълнена поради липсата на manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "В случай, че Matomo се внедрява посредством Git, е нормално това съобщение да се появява.",
"WarningFileIntegrityNoMd5file": "Цялостната проверка не може да бъде осъществена поради липсата на md5_file() функцията.",
"WarningFileIntegrityNoHashFile": "Цялостната проверка не може да бъде осъществена поради липсата на hash_file() функцията.",
"WarningPasswordStored": "%1$sВнимание:%2$s Тази парола ще се съхранява в конфигурационния файл видими за всички, които я ползват.",
"WarningPhpVersionXIsTooOld": "Версията на PHP %s, която използвате, достигна своя край на живота (EOL). Силно препоръчваме да обновите до текуща версия, тъй като използването на тази версия може да Ви изложи на уязвимости и проблеми в сигурността, които са били отстранени в по-новите версии на PHP.",
"WarningPiwikWillStopSupportingPHPVersion": "Matomo ще спре да поддържа PHP %1$s в следващата версия. Актуализирайте своя PHP поне до PHP %2$s, преди да е станало твърде късно!",
Expand Down
2 changes: 1 addition & 1 deletion lang/bs.json
Original file line number Diff line number Diff line change
Expand Up @@ -308,7 +308,7 @@
"VisitsWith": "Posjete sa %s",
"Warning": "Upozorenje",
"WarningFileIntegrityNoManifest": "Provjera integracije fajlova nije mogla biti pokrenuta zbog nedostatka manifest.inc.php.",
"WarningFileIntegrityNoMd5file": "Provjera fajla nije mogla biti pokrenuta zbog nedostatka md5_file() function.",
"WarningFileIntegrityNoHashFile": "Provjera fajla nije mogla biti pokrenuta zbog nedostatka hash_file() function.",
"WarningPasswordStored": "%1$sUpozorenje:%2$s Ovaj password će biti sačuvan u config fajl koji će biti vidljiv svima koji mogu pristupiti tom fajlu.",
"Website": "Web stranica",
"Weekly": "Sedmično",
Expand Down
2 changes: 1 addition & 1 deletion lang/ca.json
Original file line number Diff line number Diff line change
Expand Up @@ -525,7 +525,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "Actualment esteu utilitzant Matomo en mode de desenvolupament, però no s'ha instal·lat mitjançant git. No es recomana utilitzar Matomo en mode de desenvolupament en un entorn de producció.",
"WarningFileIntegrityNoManifest": "La verificació de la integritat dels fitxers no s'ha pogut fer perquè falta el manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "Si esteu desplegant Matomo des de Git, aquest missatge és normal.",
"WarningFileIntegrityNoMd5file": "La verificació de la integritat dels fitxers no s'ha pogut completar perquè falta la funció md5_file().",
"WarningFileIntegrityNoHashFile": "La verificació de la integritat dels fitxers no s'ha pogut completar perquè falta la funció hash_file().",
"WarningPasswordStored": "%1$sAlerta:%2$s Aquesta contrasenya es guardarà en un fitxer de configuració visible on tothom pot accedir.",
"WarningPhpVersionXIsTooOld": "La versió de PHP %s que esteu utilitzant ha arribat al final de la seva vida útil (EOL). Us demanem vivament que actualitzeu a una versió actual, ja que l'ús d'aquesta versió us pot exposar a vulnerabilitats de seguretat i errors que s'han corregit en versions més recents de PHP.",
"WarningPiwikWillStopSupportingPHPVersion": "Matomo deixarà de suportar PHP %1$s a la propera versió principal. Actualitzeu el vostre PHP com a mínim a PHP %2$s, abans que sigui massa tard!",
Expand Down
2 changes: 1 addition & 1 deletion lang/cs.json
Original file line number Diff line number Diff line change
Expand Up @@ -525,7 +525,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "V současné době používáte Matomo ve vývojovém režimu, systém ale nebyl nainstalován prostřednictvím gitu. V produkčním prostředí se nedoporučuje používat Matomo ve vývojovém režimu.",
"WarningFileIntegrityNoManifest": "Test integrity nemůže být proveden z důvodů chybějícího souboru manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "Pokud nasazujete Matomo z Gitu, pak je tato zpráva normální.",
"WarningFileIntegrityNoMd5file": "Test integrity nemůže být dokončen z důvodů chybějící funkce md5_file().",
"WarningFileIntegrityNoHashFile": "Test integrity nemůže být dokončen z důvodů chybějící funkce hash_file().",
"WarningPasswordStored": "%1$sUpozornění:%2$s Toto heslo bude uloženo v konfiguračním souboru viditelné pro všechny s přístupem k němu.",
"WarningPhpVersionXIsTooOld": "PHP verze %s, kterou používáte již není podporována (EOL). Důrazně doporučujeme aktualizovat na novější verzi, protože stávající může obsahovat bezpečnostní a další problémy, které byly opraveny v novějších verzích PHP.",
"WarningPiwikWillStopSupportingPHPVersion": "Matomo přestane podporavat PHP %1$s v dalším vydání. Aktualizujte PHP alespoň na %2$s, než bude pozdě!",
Expand Down
2 changes: 1 addition & 1 deletion lang/cy.json
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@
"VisitsWith": "Ymweliadau gyda %s",
"Warning": "Rhybudd",
"WarningFileIntegrityNoManifest": "Nid oedd yn bosib perfformio gwiriad cywirdeb ar y ffeil am fod manifest.inc.php ar goll.",
"WarningFileIntegrityNoMd5file": "Nid oedd yn bosib perfformio gwiriad cywirdeb ar y ffeil am fod gweithred md5_file() ar goll.",
"WarningFileIntegrityNoHashFile": "Nid oedd yn bosib perfformio gwiriad cywirdeb ar y ffeil am fod gweithred hash_file() ar goll.",
"WarningPasswordStored": "%1$sRhybudd:%2$s Bydd y cyfrinair yn cael ei storio yn y ffeil config ac yn weladwy i bawb sydd a mynediad iddo.",
"Website": "Gwefan",
"Weekly": "Wythnosol",
Expand Down
2 changes: 1 addition & 1 deletion lang/da.json
Original file line number Diff line number Diff line change
Expand Up @@ -517,7 +517,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "Du bruger i øjeblikket Matomo i udviklingstilstand, men det blev ikke installeret via git. Det anbefales ikke at bruge Matomo i udviklingstilstand i produktionsmiljø.",
"WarningFileIntegrityNoManifest": "Filintegritetstjek kunne ikke udføres på grund af manglende manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "Hvis du implementerer Matomo fra Git, er meddelelsen normal.",
"WarningFileIntegrityNoMd5file": "Fil integritetstjek kunne ikke gennemføres pga. manglende md5_file () funktion.",
"WarningFileIntegrityNoHashFile": "Fil integritetstjek kunne ikke gennemføres pga. manglende hash_file() funktion.",
"WarningPasswordStored": "%1$sAdvarsel:%2$s Adgangskoden bliver gemt i konfigurationsfilen synlig for alle, der har adgang til den.",
"WarningPhpVersionXIsTooOld": "PHP-version %s har nået slutningen af sin levetid (EOL). Du opfordres kraftigt til at opgradere til den aktuelle version, fordi brug af denne version kan udsætte dig for sikkerhedshuller og fejl, som er blevet rettet i nyere versioner af PHP.",
"WarningPiwikWillStopSupportingPHPVersion": "Matomo ophører med at understøtte PHP %1$s i den næste store opdatering. Opgrader din PHP mindst PHP %2$s før det er for sent!",
Expand Down
2 changes: 1 addition & 1 deletion lang/de.json
Original file line number Diff line number Diff line change
Expand Up @@ -525,7 +525,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "Sie verwenden Matomo aktuell im Entwicklermodus, aber es wurde nicht über git installiert. Es wird nicht empfohlen, den Entwicklermodus in produktiver Umgebung zu nutzen.",
"WarningFileIntegrityNoManifest": "Aufgrund der fehlenden Datei manifest.inc.php konnte die Integritätsprüfung nicht durchgeführt werden.",
"WarningFileIntegrityNoManifestDeployingFromGit": "Wenn Sie Matomo von Git deployen, ist diese Nachricht normal.",
"WarningFileIntegrityNoMd5file": "Durch die fehlende md5_file() Funktion konnte die Integritätsprüfung nicht durchgeführt werden.",
"WarningFileIntegrityNoHashFile": "Durch die fehlende hash_file() Funktion konnte die Integritätsprüfung nicht durchgeführt werden.",
"WarningPasswordStored": "%1$sWarnung:%2$s Dieses Passwort wird in der Konfigurationsdatei gespeichert und ist so für jeden sichtbar, der auf diese Datei Zugriff hat.",
"WarningPhpVersionXIsTooOld": "Die von Ihnen eingesetzte PHP Version %s hat das Ende der Lebensdauer (EOL) erreicht. Es wird dringend angeraten, ein Update auf eine aktuelle Version durchzuführen, da der Einsatz dieser Version zu Sicherheitsrisiken und Fehlern führen kann, welche in neueren PHP Versionen korrigiert wurden.",
"WarningPiwikWillStopSupportingPHPVersion": "Matomo wird die Unterstützung für PHP %1$s in der nächsten Hauptversion einstellen. Aktualisieren Sie ihre PHP Version auf mindestens %2$s, bevor es zu spät ist!",
Expand Down
2 changes: 1 addition & 1 deletion lang/el.json
Original file line number Diff line number Diff line change
Expand Up @@ -525,7 +525,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "Χρησιμοποιείτε αυτή τη στιγμή το Matomo από κατάσταση προγραμματιστή (ανάπτυξης), αλλά δεν εγκαταστάθηκε μέσω του git. Δεν προτείνεται να χρησιμοποιείτε το Matomo από κατάσταση προγραμματιστή σε παραγωγική λειτουργία.",
"WarningFileIntegrityNoManifest": "Ο έλεγχος ακεραιότητας αρχείου δεν μπορεί να πραγματοποιηθεί επειδή λείπει το αρχείο manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "Αν εγκαθιστάτε το Matomo από το Git, το μήνυμα αυτό είναι φυσιολογικό.",
"WarningFileIntegrityNoMd5file": "Ο έλεγχος ακεραιότητας αρχείου δεν μπορεί να ολοκληρωθεί γιατί είναι ανενεργή η συνάρτηση md5_file().",
"WarningFileIntegrityNoHashFile": "Ο έλεγχος ακεραιότητας αρχείου δεν μπορεί να ολοκληρωθεί γιατί είναι ανενεργή η συνάρτηση hash_file().",
"WarningPasswordStored": "%1$sΠροσοχή:%2$s Αυτό το συνθηματικό θα αποθηκευτεί στο αρχείο ρυθμίσεων και θα είναι ορατό από οποιονδήποτε έχει πρόσβαση σε αυτό.",
"WarningPhpVersionXIsTooOld": "Η έκδοση PHP %s που χρησιμοποιείτε έχει φτάσει στο Τέλος Ζωής της (EOL). Συνιστάται να αναβαθμίσετε στην τρέχουσα έκδοση, καθώς η χρήση αυτή της έκδοσης μπορεί να σας εκθέσει σε προβλήματα ασφαλείας και σφάλματα που έχουν διορθωθεί στις πρόσφατες εκδόσεις της PHP.",
"WarningPiwikWillStopSupportingPHPVersion": "Το Matomo θα σταματήσει να υποστηρίζει την PHP %1$s στην επόμενη σημαντική έκδοσή του. Αναβαθμίστε την PHP τουλάχιστον στην έκδοση %2$s, προτού είναι αργά!",
Expand Down
2 changes: 1 addition & 1 deletion lang/en.json
Original file line number Diff line number Diff line change
Expand Up @@ -521,7 +521,7 @@
"WarningDevelopmentModeOnButNotGitInstalled": "You are currently using Matomo in development mode, but it was not installed through git. It's not recommended to use Matomo in development mode in production environment.",
"WarningFileIntegrityNoManifest": "File integrity check could not be performed due to missing manifest.inc.php.",
"WarningFileIntegrityNoManifestDeployingFromGit": "If you are deploying Matomo from Git, this message is normal.",
"WarningFileIntegrityNoMd5file": "File integrity check could not be completed due to missing md5_file() function.",
"WarningFileIntegrityNoHashFile": "File integrity check could not be completed due to missing hash_file() function.",
"WarningPasswordStored": "%1$sWarning:%2$s This password will be stored in the config file visible to everybody who can access it.",
"WarningPhpVersionXIsTooOld": "The PHP version %s you are using has reached its End of Life (EOL). You are strongly urged to upgrade to a current version, as using this version may expose you to security vulnerabilities and bugs that have been fixed in more recent versions of PHP.",
"WarningPiwikWillStopSupportingPHPVersion": "Matomo will stop supporting PHP %1$s in the next major version. Upgrade your PHP to at least PHP %2$s, before it's too late!",
Expand Down
2 changes: 1 addition & 1 deletion lang/eo.json
Original file line number Diff line number Diff line change
Expand Up @@ -338,7 +338,7 @@
"VisitsWith": "Vizitoj kun %s",
"Warning": "Averto",
"WarningFileIntegrityNoManifest": "La testo de integreco ne povas esti farita ĉar manifest.inc.php ne troviĝas.",
"WarningFileIntegrityNoMd5file": "La testo de integreco ne povis kompletiĝi ĉar md5_file() funkcio ne troviĝas.",
"WarningFileIntegrityNoHashFile": "La testo de integreco ne povis kompletiĝi ĉar hash_file() funkcio ne troviĝas.",
"WarningPasswordStored": "%1$sAverto:%2$s Ĉi-pasvorto estos konservita en la konfigurdosiero videbla de ĉiuj kiuj povas atingis ĝin.",
"Warnings": "Avertoj",
"Website": "Retejo",
Expand Down
Loading

0 comments on commit 18513d6

Please sign in to comment.