From 2a1704a0dcce0648f10bcb3701fe1b961ba7f329 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 11 Apr 2015 15:21:38 -0400
Subject: [PATCH] check that the downloaded ownCloud and roundcube files match
 a known SHA1 hash

---
 setup/functions.sh | 22 ++++++++++++++++++++++
 setup/owncloud.sh  |  4 ++--
 setup/webmail.sh   |  7 +++++--
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 3b3b513b..d402a888 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -180,6 +180,28 @@ function input_menu {
 	result_code=$?
 }
 
+function wget_verify {
+	# Downloads a file from the web and checks that it matches
+	# a provided hash. If the comparison fails, exit immediately.
+	URL=$1
+	HASH=$2
+	DEST=$3
+	CHECKSUM="$HASH  $DEST"
+	rm -f $DEST
+	wget -q -O $DEST $URL || exit 1
+	if ! echo "$CHECKSUM" | sha1sum --check --strict > /dev/null; then
+		echo "------------------------------------------------------------"
+		echo "Download of $URL did not match expected checksum."
+		echo "Found:"
+		sha1sum $DEST
+		echo
+		echo "Expected:"
+		echo "$CHECKSUM"
+		rm -f $DEST
+		exit 1
+	fi
+}
+
 function git_clone {
 	# Clones a git repository, checks out a particular commit or tag,
 	# and moves the repository (or a subdirectory in it) to some path.
diff --git a/setup/owncloud.sh b/setup/owncloud.sh
index 57f66767..2a48b73b 100755
--- a/setup/owncloud.sh
+++ b/setup/owncloud.sh
@@ -16,6 +16,7 @@ apt-get purge -qq -y owncloud*
 
 # Install ownCloud from source of this version:
 owncloud_ver=8.0.2
+owncloud_hash=a4d1fc44bc40af87948458ae8f60ee427ecd9560
 
 # Check if ownCloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
@@ -32,8 +33,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 	fi
 
 	# Download and extract ownCloud.
-	rm -f /tmp/owncloud.zip
-	wget -qO /tmp/owncloud.zip https://download.owncloud.org/community/owncloud-$owncloud_ver.zip
+	wget_verify https://download.owncloud.org/community/owncloud-$owncloud_ver.zip $owncloud_hash /tmp/owncloud.zip
 	unzip -u -o -q /tmp/owncloud.zip -d /usr/local/lib #either extracts new or replaces current files
 	rm -f /tmp/owncloud.zip
 
diff --git a/setup/webmail.sh b/setup/webmail.sh
index 0c04c8ae..5c1ddb9b 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -33,6 +33,7 @@ apt-get purge -qq -y roundcube* #NODOC
 # Combine the Roundcube version number with the commit hash of vacation_sieve to track
 # whether we have the latest version.
 VERSION=1.1.0
+HASH=22e994db05a743ab49d47f1092b79f04ddb6dffd
 VACATION_SIEVE_VERSION=06a20e9d44db62259ae41fd8451f3c937d3ab4f3
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/roundcubemail/version ]; then
@@ -45,8 +46,10 @@ fi
 if [ $needs_update == 1 ]; then
 	# install roundcube
 	echo installing Roundcube webmail $VERSION...
-	rm -f /tmp/roundcube.tgz
-	wget -qO /tmp/roundcube.tgz http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/$VERSION/roundcubemail-$VERSION.tar.gz
+	wget_verify \
+		http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/$VERSION/roundcubemail-$VERSION.tar.gz \
+		$HASH \
+		/tmp/roundcube.tgz
 	tar -C /usr/local/lib -zxf /tmp/roundcube.tgz
 	rm -rf /usr/local/lib/roundcubemail
 	mv /usr/local/lib/roundcubemail-$VERSION/ /usr/local/lib/roundcubemail