Download Passes SHA256sum, but site reports Integrity Check Failures

ℹ️ Support
1

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

[/details]

Nextcloud version (eg, 12.0.2): 17.0.0
Operating system and version (eg, Ubuntu 17.04): Unknown Linux (Web Host Stack)
Apache or nginx version (eg, Apache 2.4.25): cpsrvd 11.82.0.17
PHP version (eg, 7.1): 7.2.7

The issue you are facing:
I have downloaded 17.0.0 and successfully completed a checksum on the zip file.
I have locally unpacked the zip file and then transferred content to my ISP using FileZilla.
I have completed the configuration to my provided MariaDB
I have the site up and running and can add content, create users, etc.

When I perform a “Security & Setup” check using the Admin Overview, I get the “Some files have not passed the integrity check” warning.

When I click the link to show the actual errors, I get the response pasted between the snippets, below:-

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- INVALID_HASH
		- core/doc/admin/_static/img/note_pencil.svg
		- core/doc/admin/_static/img/warning.svg

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/doc/admin/_static/img/note_pencil.svg] => Array
                        (
                            [expected] => 78b9df57afe9468145e6e375cd1f61274b269b9c3019726a99e043ae952367acf53cf471cbc5b3dcca2e68367c2c4422d4a9f9a9fdbb11f9b962845ac77857de
                            [current] => 97117ce2827cc1b742678b52fc100de1e7d3fdb1adeea04a301c012e7f95b66e10a369c6a83ba89a707c4232b5e31fba3d5e58b0e0d970f22031d0704eebb5a9
                        )

                    [core/doc/admin/_static/img/warning.svg] => Array
                        (
                            [expected] => e8647b47ef1531b8c2fcdd51f76996fe85476467fc694540f3dcf8ce7e7da489e99edae5a158742da71c07dc09ccfaf721f01c1c4bda3f5bae9b711981b71a1b
                            [current] => 85687f19cf204716e9b1c608682aa22c045b6f8284a3496db07f13200952491bfea54deee7ef11115c0dedfd87443c7022ef05792892a8a984866752c8ec5726
                        )

                )

        )

)

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:
No replication attempt at this point - see below…

The output of your Nextcloud log in Admin > Logging:

Can provide if needed - see question below...

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'oc2zpfy2zr20',
  'passwordsalt' => '5rPxtzkZ0PwlGc9C7QpDrnlt//i2fX',
  'secret' => '### removed ###',
  'trusted_domains' => 
  array (
    0 => '##.######.org',
  ),
  'datadirectory' => '/home/######/public_html/######/nc/data',
  'dbtype' => 'mysql',
  'version' => '17.0.0.9',
  'overwrite.cli.url' => 'http://##.######.org',
  'dbname' => 'sauriano_NextCloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'sauriano_NextCloud',
  'dbpassword' => '### Removed ###',
  'installed' => true,
  'maintenance' => false,
  'mail_from_address' => 'nc',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '### removed ###',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => 'chimail.uk2.net',
);

The output of your Apache/nginx/system log in /var/log/____:

Don't have access to this ...

OK, the question is this…
As per the Security & Status warning of the “Administration: Overview” function, there is a reported error with 2 Scalable Vector Graphics files. As stated, I checked the integrity of the downloaded zip file before expanding and before attempting upload and found no issues.

Given that the reported errors are very narrow in scope and relate to svg files, would it be safe to…

  1. re-download the NextCloud Zip File or tarball…
  2. Expand the archive on a local file system…
  3. Find the 2 files being reported as corrupted by the integrity check…
  4. Manually ftp just those 2 files back to the web space…
  5. Re-run the integrity check?

If I follow this process, is appropriate to replace the existing files, or is it safe to temporarily rename them “_orig” and then revert if this does not fix the problem.

Please note that I do not have the ability to disable the web server whilst performing these checks…

Guidance much appreciated, thank you…

2

This is indeed the way I recommend to fix the problem. I think there is no need to backup the existing files, because it can always be recovered from the archive.

1 Like
3

Thank you; I very much appreciate your response and confirmation. It seemed the least risk and least intrusive [as everything seems to be working] but I’m grateful for your response.

4

j-ed,
Completed the activity as you recommended. I discovered that the uploaded version of note_pencil.svg had a file size of 741 bytes. My tarball copy is 751 bytes. I had exactly the same difference with warning.svg, which was 613 bytes on my web server and 623 bytes in my tarball.

I have FileZilla’d in replacement copies and re-run the security validation and those issues are now resolved.

Now I all have to do is prod my ISP into giving me SSH access and I’ll be able to address the PHP OPcache issues and I’ll be … un-stoppable!!!

Thank you for the kind and prompt assist - it was much appreciated.

1 Like
5

Congratulations. :+1:

6

OK, I think I’d like to make claim for “Weird Happening of the Week”… As the above thread shows, I followed j-ed’s advice and extracted “clean” versions of the two SVG files from a cleanly down-loaded and SHA256-sum verified zip. I replaced the on-line copies, re-ran my integrity checks and earned a clean bill of health…

Tonight I thought I’d have a go at clearing up the “other” NextCloud-related challenge with my NextCloud instance, which relates to my ISP’s default php.ini file having a sub-optimal opcache setup. I went back in to the NextCloud integrity check, and… the two SVG files that were reported as defective at installation - and which I fixed have now reverted back to their broken forms.

I’m in the process of re-uploading “clean” copies of these 2 files, but suddenly this seems a lot more interesting. I’m happy to check/experiment/etc, to provide information about the build or setup, but I am now wondering if there is something in the default codebase that is “touching” these files in some way?

The only other thing I can think of - which is a bit more concerning - would be if these SVG files were being loaded with malicious javascript. Therefore, before I wipe the suspect copies, I’m going to download them on to a spare USB key, just in case we need some forensic testing.

However, I think I’m also going to need some help diagnosing this one, to see if there are any less malign explanations.

Any advice gratefully received; happy to query install and report back on config details as required.

Thank you in advance.

7

OK, I am definitely claiming “Weird Happening of the Week” … Got my ftp client up and running. Delete the two suspect files from the server to get things started. Drag-and-drop the “good” files to the server using FileZilla.

Instantly, as in literally as I sat and watched it the length of each file changed as the download completed. note_pencil.svg landed on the server side @ 751 bytes; it stayed that way for a brief fraction of a second before I saw the file length change right before my eyes.

I think I’m going to raise a ticket with my ISP.

8

I would assume that a kind of automatic restore function is running in the background which prevents any changes. To contact your ISP seems to be the right way to go.

9

Thank you Sir. On it.

10

You’re welcome :slight_smile:

11

OK, just in case this is relevant, I’m going to add that I’ve just been looking in my log file and today I see very nearly the same error all being reported at the exact same time. The 3 error instances are:-

escapeshellarg() has been disabled for security reasons at /home/sauriano/public_html/saurian/nc/apps/spreed/lib/Chat/Command/ShellExecutor.php#66

escapeshellarg() has been disabled for security reasons at /home/sauriano/public_html/saurian/nc/apps/spreed/lib/Chat/Command/ShellExecutor.php#49

escapeshellarg() has been disabled for security reasons at /home/sauriano/public_html/saurian/nc/apps/spreed/lib/Chat/Command/ShellExecutor.php#48

The timestamps are the same:-

2019-10-31T18:27:47+0000

No idea if these are related [I don’t see them anywhere else in the log] but 3 at the same time just seemed odd…