Corrupt files after uploading

[Philipp]

When you upgrade from Collabtive 1.2 to 2.0, running update.php will encrypt existing files.

I have tested this again (uploading in 1.2 and updating to 2.0) , and could not reproduce any issue with the file encryption.
I am sorry for your trouble.

[Remiguel]

Analyzing the code, previews upload files are encrypt with a random password during the update process while migrating from 1.2 to 2.0.
This password is saved in the database. If the update fail and user update a second time, a new random password is created and saved in the same database table under "filePass". I found 8 passwords saved
By file decrypting, password is fetched from the DB, but only the first occurrence is picked up

Does it possible that a file has been encrypted 8 times?
How could I check how many time the files has been encrypted.
Does it make sense to apply my files all passwords, one after the other (in a loop) to fully decrypt them?

[some person]

Analyzing the code, previews upload files are encrypt with a random password during the update process while migrating from 1.2 to 2.0.
This password is saved in the database. If the update fail and user update a second time, a new random password is created and saved in the same database table under "filePass". I found 8 passwords saved
By file decrypting, password is fetched from the DB, but only the first occurrence is picked up

Does it possible that a file has been encrypted 8 times?
How could I check how many time the files has been encrypted.
Does it make sense to apply my files all passwords, one after the other (in a loop) to fully decrypt them?

Quickly looking at the update.php code it looks like that on each run of update.php it will encrypt all the files.

If you ran the update.php page multiple times then, from the looks of it, your files were encrypted multiple times.

The only way I can see for you to get your files back is to make a loop that runs through each of the passwords.

You are going to have to save the file on each password decryption, and then rerun the decryption again with the next password.

[Philipp]

I agree with some person. Also it is important to cycle through the passwords in the right order.

I will add a check to the updater, so this can not happen in the future.
Again, i am sorry for your trouble.

[Remiguel]

Quickly looking at the update.php code it looks like that on each run of update.php it will encrypt all the files.
If you ran the update.php page multiple times then, from the looks of it, your files were encrypted multiple times.
The only way I can see for you to get your files back is to make a loop that runs through each of the passwords.
You are going to have to save the file on each password decryption, and then rerun the decryption again with the next password.

Thank you some person to confirm my suspicion. On Friday I started to write a php script to decrypt files with the possible 8 passwords I found .
I will post the code, as soon I get it working.

For those with this problem, please keep safe the setting table where passwords are saved

I agree with some person. Also it is important to cycle through the passwords in the right order.
I will add a check to the updater, so this can not happen in the future.

Thank you Philipp to modify the updater to avoid this issue or to add a warning text when update.php is used .

[Remiguel]

Ok I have a working script. I have modify the downloadfile function in "managefile.php" to make my tests.
As pointed out by Philipp, passwords have to be applied, from the last created to the first created one.

To simplify the code and save time, I have also slightly modified the decrypt function and named it decryptPFile

downloadfile function modified:

Code: Select all

elseif($action == "downloadfile")
{
   if (!$userpermissions["files"]["view"]) {
      $errtxt = $langfile["nopermission"];
      $noperm = $langfile["accessdenied"];
      $template->assign("errortext", "$errtxt<br>$noperm");
      $template->display("error.tpl");
      die();
   }

   //get the file ID.
   $fileId = getArrayVal($_GET,"file");
   $thefile = $myfile->getFile($fileId);

   //getFile path and filesize
   $filePath = $thefile["datei"];
   $fsize =  filesize($filePath);

   //Send HTTP headers for dowonload
   header('Content-Description: File Transfer');
   header('Content-Type: application/octet-stream');
   header('Content-Disposition: attachment; filename="'.basename($filePath).'"');
   header('Content-Transfer-Encoding: binary');
   header('Connection: Keep-Alive');
   header('Expires: 0');
   header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
   header('Pragma: public');
   header("Content-length: $fsize");
   //Try to decrypt the file
   //$plaintext = $myfile->decryptFile($filePath, $settings["filePass"]);

// please replace each pass with your passwords (from db)
$list = array('pass8','pass7','pass6','pass5','pass4','pass3','pass2','pass1');
// loop to decrypt with the n pass
$test = file_get_contents($filePath);
$flag = false; // test flag
foreach ($list as $contrasena) {
   $plaintext = $myfile->decryptPFile($test, $contrasena); // call the duplicated function with the modification
      if($plaintext) {
         $test = $plaintext;
         $good = $plaintext; // save as decrypt
         $flag = true; // indicator that the file has been decrypted once
      } else {
         if ($flag == false) {
         $test = file_get_contents($filePath); // will use the original file
         } else {
         $test = $good; // will use the last good decrypted file
         }
      }
}
   if(!$plaintext){
      if($good){
         $plaintext = $good;
         } else {
         $plaintext = file_get_contents($filePath); // line added, to work also with no encrypted files
         }      
   }
   //Render the content
   echo $plaintext;
}


Modification of decryptFile to create decryptPFile

decryptFile

Code: Select all

$ciphertext = file_get_contents($filename);

decryptPFile

Code: Select all

$ciphertext = $filename;

Now in the updater (update.php), I have to use this same method to decrypt all my files and encrypt them again, with only the last password or a new one.
Hope this code will help those with the same problem

[Eva]

It's fascinating to see that your octuple decryptor actually works. ^^

In general we encourage everyone to backup their files before starting an update.

[Remiguel]

Yes indeed it's fascinating that works, in total transparency for end users.
We backup all, before the update. Unfortunately this problem has been raised by our users too late and many files were uploaded afterward.
We've got files 8 times encrypted other maybe 3 or 4 times and the last files only one time.
As soon I have the script, to mass-decrypt all our files, I will clean up all this mess

Just edit my code to work with no encrypted files as well

Code: Select all

if(!$plaintext){
      if($good){
         $plaintext = $good; // last good decrypted stream
         } else {
         $plaintext = file_get_contents($filePath); // no encrypted stream
         }      
   }

[Remiguel]

I have tested a new code to decrypt all my files at once.
In my case, since we have a huge numbers of files on the server, I preferred running the script, project by project.

Use this code with caution, unlike the previous code, files on server will be modified.
Backup your files before running this code. Test the code on one project folder first.

Here the php code (save the code in a file, eg. extra.php)

Code: Select all

<?php
require("./init.php");
$path = "./include/phpseclib";
set_include_path(get_include_path() . PATH_SEPARATOR . $path);

$filesList = $conn->query("SELECT * FROM `files` WHERE `project` = 28")->fetchAll(); // line to fetch one project
//$filesList = $conn->query("SELECT * FROM `files`")->fetchAll(); // fetch all project of the database
$myfile = new datei();

foreach($filesList as $file){

   $tmpFile = CL_ROOT . "/" . $file["datei"];
   $list = array('pass8','pass7','pass6','pass5','pass4','pass3','pass2','pass1');
   $test = file_get_contents($tmpFile);
   $flag = false;
   $good = ""; // clear stream at every loop
        // loop to decrypt with the 8 pass
   foreach ($list as $contrasena) {
   $plaintext = $myfile->decryptPFile($test, $contrasena);
      if($plaintext) {
         $test = $plaintext;
         $good = $plaintext;
         $flag = true;
      } else {
         if ($flag == false) {
         $test = file_get_contents($tmpFile);
         } else {
         $test = $good;
         }
      }   
   }
   
   //will leave the file as it is, if no decryption has occurred
   if(!$plaintext){
      if($good){
         file_put_contents($tmpFile,$good);      
         }
   } else {
   file_put_contents($tmpFile,$plaintext);
   }

}

?>


All files will be decrypted on the server. You can now run update.php, to encrypt them with one unique password. Check the database to be sure to leave only the last password under "filePass"

[davidgarcia0001]

I have the same problem. Unfortunately I am not skilled enough to fix the encryption problem. Any help would be appreciated.

Thanks
David