Wordfence detects posible malware in nextcloud/apps/mail/vendor/wamania/php-stemmer/test/files/ca.txt

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version: 28.0.4.1 stable channel
Operating system and version: Debian 11.9 with Plesk Obsidian 18.0.59 Update 2
nginx version: 1.24.0.3-v.debian.11+p18.0.59.0+t240201.0816
PHP version: 8.2.18

The issue you are facing: I have Nextcloud installed in some domains within my Plesk server. In these domains, I have Wordpress with the Wordfence security plugin, who is notifying me that the file:

nextcloud/apps/mail/vendor/wamania/php-stemmer/test/files/ca.txt

looks suspicious of including malware as per their Spam:TXT/listed.10251 policy:
Content resembling that found in spam infections. The coinciding text in this file is:

\x0astreaming streaming\x0astreet street\x0astriata striat\x0astriatus striat\x0astricto strict\x0astring string\x0astripper stripp\x0astriptease stripte\x0astroke strok\x0astudio stud\x0astudi…

I would like to know if this is a false positive or shall I delete this file; and is it safe to delete it?

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

  1. Install Nextcloud latest version on a domain in Plesk
  2. Install Wordpress and Wordfence plugin in the same domain
  3. Run Wordfence analysis

It seems to be a test file for this module:

I don’t know if it is possible, to use this code without including all the tests, especially for the packaged version. In the end it is just text that should not hurt anybody. You can probably delete it, but the integrity check will probably tell you at some point that your file structure looks different than default setups, and the files will come back with each update.

Thanks for the report :+1:

Would you mind to log an issue at Issues · nextcloud/mail · GitHub?

Afaik it should be enough to add the path to mail/.nextcloudignore at main · nextcloud/mail · GitHub to exclude it

I just did: