Hashes do not match

[zest96]

Great plugin!!

problem is that hashes do not match for all of my inline scripts (tested different sites).

resulted source-code:

index.php actual code: <?php $doc->addScriptDeclaration('jQuery.event.special.touchstart = {setup:function(_,ns,handle){if(ns.includes("noPreventDefault")){this.addEventListener("touchstart",handle,{passive:false});}else{this.addEventListener("touchstart",handle,{passive:true});}}};');?>

plugin generated SHA: 'sha256-XI5T8OJWCoAGU2W72aYqY5yVhW6R4SBObwSw5/58qfk='

chrome (v91) console suggesed SHA: 'sha256-nkBC8t4FwQ13XFZT8S2npkwkSACUDGTSNQd5CXK1xq0='

thanks

[zero-24]

Hi, are you runing on Joomla 4 or Joomla 3? When it is Joomla 3 can you test this changes as proposed for the CMS: https://github.com/joomla/joomla-cms/pull/28720/files

[zest96]

Hi, tnx for the quick response

followed the changes, but the SHA still dont match.

this is the test/dev site: https://packetlight.joomla-israel.co.il/

if it will help, i can give you access (which ever you need) to look and test (it's not production, so no need for backups...)

Best Regards, Oren Wassersprung Web Development and Design

Tel Aviv www.joomla-israel.co.il

On 14 Jul 2021, at 14:56, Tobias Zulauf @.***> wrote:

Hi, are you runing on Joomla 4 or Joomla 3? When it is Joomla 3 can you test this changes as proposed for the CMS: https://github.com/joomla/joomla-cms/pull/28720/files https://github.com/joomla/joomla-cms/pull/28720/files — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zero-24/plg_system_httpheader/issues/36#issuecomment-879828730, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDQFM5CCAXXXIORUYNMUDTTXV3O7ANCNFSM5ALJHTBA.

[zero-24]

hmm please send me SU access data to [removed] will take a look into it. Thanks!

[zero-24]

I have looked into the code. You have a lot of direct script tags that beeing reported here.

I have now removed all direct calls from the index.php and we are down to two reports where both are still direct script tags comming from another places (maybe extensions?). So from what it looks to me the hash generation works good.

My proposal would be make sure all inline scripts in the index.php as well as the extensions are added to the document via $doc->addScriptDeclaration( and than we look into it again.

I have restored the file now with all inline scripts again.

[zest96]

Hi Tobias, I've changed back all scripts to addscriptdecleration ... now I have 1 report that contains all the addscript...

בברכה, אורן וסרשפרונג עיצוב ופיתוח פרוייקטי אינטרנט מורכבים.

נייד: 050-5405400 תל אביב www.joomla-israel.co.il

Best Regards, Oren Wassersprung Web Development and Design

Tel Aviv www.joomla-israel.co.il

On 14 Jul 2021, at 21:21, Tobias Zulauf @.***> wrote:

I have looked into the code. You have a lot of direct script tags that beeing reported here.

I have now removed all direct calls from the index.php and we are down to two reports where both are still direct script tags comming from another places (maybe extensions?). So from what it looks to me the hash generation works good.

My proposal would be make sure all inline scripts in the index.php as well as the extensions are added to the document via $doc->addScriptDeclaration( and than we look into it again.

I have restored the file now with all inline scripts again.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zero-24/plg_system_httpheader/issues/36#issuecomment-880111517, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDQFM6ZK6MVKDPZ3BB7COLTXXITLANCNFSM5ALJHTBA.

[zest96]

I now see that the hash changes on each reload.

the acymailing module have a random number which changes the SHA. I guess it's another security thing.

acymModule["excludeValuesformAcym97101"]

this is where a nonce might help. but will require a manual intervention. I've added nonce using the $_SERVER['UNIQUE_ID'] but need to add nonce option to the plugin.

modules/mod_acym/mod_acym.php

בברכה, אורן וסרשפרונג עיצוב ופיתוח פרוייקטי אינטרנט מורכבים.

נייד: 050-5405400 תל אביב www.joomla-israel.co.il

Best Regards, Oren Wassersprung Web Development and Design

Tel Aviv www.joomla-israel.co.il

On 14 Jul 2021, at 22:49, Oren Wassersprung @.***> wrote:

Hi Tobias, I've changed back all scripts to addscriptdecleration ... now I have 1 report that contains all the addscript...

בברכה, אורן וסרשפרונג עיצוב ופיתוח פרוייקטי אינטרנט מורכבים.

נייד: 050-5405400 תל אביב www.joomla-israel.co.il Best Regards, Oren Wassersprung Web Development and Design Tel Aviv www.joomla-israel.co.il > On 14 Jul 2021, at 21:21, Tobias Zulauf ***@***.*** ***@***.***>> wrote: > > > I have looked into the code. You have a lot of direct script tags that beeing reported here. > > I have now removed all direct calls from the index.php and we are down to two reports where both are still direct script tags comming from another places (maybe extensions?). So from what it looks to me the hash generation works good. > > My proposal would be make sure all inline scripts in the index.php as well as the extensions are added to the document via $doc->addScriptDeclaration( and than we look into it again. > > I have restored the file now with all inline scripts again. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub , or unsubscribe . >

[zero-24]

this is where a nonce might help. but will require a manual intervention.

Please go to the settings of the script-src and add {script-hashes} all scripts passed via the API (I'm not sure whether its via the API; if not please report it to them) will be listed here and get whitelisted dynamicly.

[zest96]

I didn't get what to do in the last message. I use script-hashes, but they're not matching.

I can add it manually but then, what's the point? can you tell me exactly what type of calculation is being made as the hash256?

where is it located in the source files? thanks Tobias.

בברכה, אורן וסרשפרונג עיצוב ופיתוח פרוייקטי אינטרנט מורכבים.

נייד: 050-5405400 תל אביב www.joomla-israel.co.il

Best Regards, Oren Wassersprung Web Development and Design

Tel Aviv www.joomla-israel.co.il

On 16 Jul 2021, at 10:03, Tobias Zulauf @.***> wrote:

script-hashes

[zero-24]

Hi, when its not matching here they are propertly not injecting the JS via the Joomla API? Can you open an issue with acymailing and let them confirm they are using $doc->addScriptDeclaration(?

[zest96]

I'm not talking about the ACY module.

The hash of the scripts added via AddScriptDeclaration are not matching. chrome shows the right hash but the plugin brings a different hash.

the hashes are not changing anymore, so there must be a problem with the hash calculation (also removed the Gzip off the site.

I'd search the code that calculate the hash in the plugin and compare to an online hash calculator. but I can't find an online calculator that brings a similar hash length.

בברכה, אורן וסרשפרונג עיצוב ופיתוח פרוייקטי אינטרנט מורכבים.

נייד: 050-5405400 תל אביב www.joomla-israel.co.il

Best Regards, Oren Wassersprung Web Development and Design

Tel Aviv www.joomla-israel.co.il

On 19 Jul 2021, at 22:30, Tobias Zulauf @.***> wrote:

Hi, when its not matching here they are propertly not injecting the JS via the Joomla API? Can you open an issue with acymailing and let them confirm they are using $doc->addScriptDeclaration(?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zero-24/plg_system_httpheader/issues/36#issuecomment-882802779, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDQFM4SNXUS7U4PO5S2SGTTYR4NPANCNFSM5ALJHTBA.

[zero-24]

As discussed via mail the issue is not from this plugin but that the inline javascript you have on your site is not passed via the Joomla API but inserted directly to the site. This makes it not possible for this plugin to generate the correct hash for them.

Please pass all inline JS you need via the Joomla API as documented here: https://docs.joomla.org/Adding_JavaScript

Will close this issue for now

[zest96]

Hi Tobias, I need you to understand that the scripts which do pass through the API get the wrong hash. tested on few websites. also in the admin area, it doesn't work.

I know i have other scripts that i pass directly but I'm not talking about them. I dont mind the ACYmailing module either. I keep working on this site, so it's not a good environment to test it.

Do you have a working j3 site with the plugin working as expected? I will test it also on J4 (read that it's going to be integrated in J4)

בברכה, אורן וסרשפרונג עיצוב ופיתוח פרוייקטי אינטרנט מורכבים.

נייד: 050-5405400 תל אביב www.joomla-israel.co.il

Best Regards, Oren Wassersprung Web Development and Design

Tel Aviv www.joomla-israel.co.il

On 21 Aug 2021, at 3:41, Tobias Zulauf @.***> wrote:

As discussed via mail the issue is not from this plugin but that the inline javascript you have on your site is not passed via the Joomla API but inserted directly to the site. This makes it not possible for this plugin to generate the correct hash for them.

Please pass all inline JS you need via the Joomla API as documented here: https://docs.joomla.org/Adding_JavaScript https://docs.joomla.org/Adding_JavaScript Will close this issue for now

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zero-24/plg_system_httpheader/issues/36#issuecomment-903024234, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDQFM6VACX4ODGEPLF5KITT53Y5NANCNFSM5ALJHTBA. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email.