Integrity check fails with modified image files and css - is there any way to bypass?

ted.strauss · January 25, 2018, 7:57pm

Steps to reproduce

Modified some graphics in owncloud/core/img to change the site logo and favicon.
Also modified owncloud/core/css/header.css to change colors.
Server integrity check now reports invalid hash errors for the modified files.

These files are intentionally modified, so i'm looking for some way to commit them, so integrity check passes.

Expected behaviour

Integrity check passes with modified images and css.

Actual behaviour

Integrity check fails, with this:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- INVALID_HASH
		- core/css/header.css
		- core/img/favicon.ico
		- core/img/background.jpg
		- core/img/logo.svg
		- core/img/favicon.svg

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/css/header.css] => Array
                        (
                            [expected] => 47eecc8ee5515878f9491bbb6c9f750047fb7841ad51b9f898f0f67814b22598207007dfb4e43ace861529187e0deed91cbceb5b73c73d99ef7c62c57f829e92
                            [current] => 229b46481419d7c09b645e244f5324fcbbe37788b22730c183067cd998728b742f0ffc36041a4641c3d0e14176363ab08d0185fd6de1d5cd4acf8d9d1249061c
                        )

                    [core/img/favicon.ico] => Array
                        (
                            [expected] => 5f31605962147f1bd828102cc5db006c5da78697a5f5b2300f847dca2643377b369bf3b08603f3789591fa9a69d91556ea286f39d081833f42689c44eb848c50
                            [current] => 2d723f40546ca9d59b2b454bbe87e7b38060b19303f7bb203c788b45c1a252afb2a50ca5bab59b2a9fcca949ea51d6b4ff9d2e30900a356e7aa7de4aaa7833bd
                        )

                    [core/img/background.jpg] => Array
                        (
                            [expected] => 34f73c41969d08c59ee3c550a9c6245ca722318a440e1465e2a5263453e7aa7b69d2b681d422e7c7ace3fcd658f3ba47c3cb5a88bc5e172cc7d2118bbd156b79
                            [current] => 95b454d19a8b5f6586301da10dde0fefc1e622daf3ec39a2201fb3895362c138145bfcc9a65cfbef6da9f45f370b0156307c0740db5a06ac747204d854e9791c
                        )

                    [core/img/logo.svg] => Array
                        (
                            [expected] => 0fed54bd7c739cf9fb09ed57d9f2c751579db063418382bb5c4937e4b57cfc399c6752695b41d44a11cc4fab1fa3a9cf20384479c3a9ec74d39b035c1811dcfc
                            [current] => 3a1bad1e3e32962650c2d70250c97470fcf31c5ae740085884359462a76825c2d5c7ef0e30d38730da2c16291d1ce6764d19174aeb59020960e9e0fa4c6fcea8
                        )

                    [core/img/favicon.svg] => Array
                        (
                            [expected] => a665e874427b7e11fc6676a311639ed63a2d69f1f37fdeb8702fa2d650d8875c60ff9f4ba802131fa779d74fa31950e0032877c82db127c9bd06ce27955e6f81
                            [current] => 1b4e05536209a06d913eab040ad6223a72d424a24d153a3d9aa9fc6694f7a11732933ccd3ab07a98510fb52f65b5374b1955e0c282c46dc6652bb232bc4e26ad
                        )

                )

        )

)

Server configuration

Operating system:

ubuntu 14

Web server:

apache

PHP

PHP 7.0.21-1~ubuntu14.04.1+deb.sury.org+1

Database:

mysql

ownCloud version: (see ownCloud admin page)

10.0.3

Updated from an older ownCloud or fresh install:

originally installed version 9.

Where did you install ownCloud from:

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

dmitry · January 26, 2018, 1:06pm

Hi,

It would be better if you made your changes in to a new theme app, and then excluded this theme app from integrity check. I am not sure if the changes you made persists after an upgrade. Also excluding core directories is troublesome.

https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/config_sample_php_parameters.html?highlight=exclude#all-other-configuration-options

ted.strauss · January 26, 2018, 5:23pm

Exclude files from the integrity checker command in by adding this setting to config.php.

'integrity.excluded.files' =>
        array (
                '.DS_Store',
                'Thumbs.db',
                '.directory',
                '.webapp',
                '.htaccess',
                '.user.ini',
        ),

https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/config_sample_php_parameters.html?highlight=integrity