diff options
| author | Joas Schilling <nickvergessen@gmx.de> | 2013-12-16 10:18:56 +0100 |
|---|---|---|
| committer | Joas Schilling <nickvergessen@gmx.de> | 2013-12-16 10:18:56 +0100 |
| commit | 4a73ce0933c8bfecf37cf760d3fd96bb7a7f48ca (patch) | |
| tree | 9ff4a74a99cab79322a2fe8cc728f0dc283d77df /phpBB/phpbb | |
| parent | 8da2f349fe39a46fcd70e59ff087071927edbc34 (diff) | |
| parent | c42bd28d172a9ae7439cc3868ebfda87e93f3490 (diff) | |
| download | forums-4a73ce0933c8bfecf37cf760d3fd96bb7a7f48ca.tar forums-4a73ce0933c8bfecf37cf760d3fd96bb7a7f48ca.tar.gz forums-4a73ce0933c8bfecf37cf760d3fd96bb7a7f48ca.tar.bz2 forums-4a73ce0933c8bfecf37cf760d3fd96bb7a7f48ca.tar.xz forums-4a73ce0933c8bfecf37cf760d3fd96bb7a7f48ca.zip | |
Merge remote-tracking branch 'prototech/ticket/12009' into develop
* prototech/ticket/12009:
[ticket/12009] Prevent user from enabling invalid extension through direct URL
[ticket/12009] Update functional test to check for invalid extensions.
[ticket/12009] Fix functional tests.
[ticket/12009] Move valid extensions in tests to correct dir structure.
[ticket/12009] Do not allow incorrectly structured extensions to be installed.
Diffstat (limited to 'phpBB/phpbb')
| -rw-r--r-- | phpBB/phpbb/extension/manager.php | 15 | ||||
| -rw-r--r-- | phpBB/phpbb/extension/metadata_manager.php | 14 |
2 files changed, 27 insertions, 2 deletions
diff --git a/phpBB/phpbb/extension/manager.php b/phpBB/phpbb/extension/manager.php index 7f009867c9..23b281deaa 100644 --- a/phpBB/phpbb/extension/manager.php +++ b/phpBB/phpbb/extension/manager.php @@ -411,9 +411,24 @@ class manager if ($file_info->isFile() && $file_info->getFilename() == 'ext.' . $this->php_ext) { $ext_name = $iterator->getInnerIterator()->getSubPath(); + $composer_file = $iterator->getPath() . '/composer.json'; + // Ignore the extension if there is no composer.json. + if (!is_readable($composer_file) || !($ext_info = file_get_contents($composer_file))) + { + continue; + } + + $ext_info = json_decode($ext_info, true); $ext_name = str_replace(DIRECTORY_SEPARATOR, '/', $ext_name); + // Ignore the extension if directory depth is not correct or if the directory structure + // does not match the name value specified in composer.json. + if (substr_count($ext_name, '/') !== 1 || !isset($ext_info['name']) || $ext_name != $ext_info['name']) + { + continue; + } + $available[$ext_name] = $this->phpbb_root_path . 'ext/' . $ext_name . '/'; } } diff --git a/phpBB/phpbb/extension/metadata_manager.php b/phpBB/phpbb/extension/metadata_manager.php index d0323120d8..66cdb86513 100644 --- a/phpBB/phpbb/extension/metadata_manager.php +++ b/phpBB/phpbb/extension/metadata_manager.php @@ -266,8 +266,8 @@ class metadata_manager */ public function validate_enable() { - // Check for phpBB, PHP versions - if (!$this->validate_require_phpbb() || !$this->validate_require_php()) + // Check for valid directory & phpBB, PHP versions + if (!$this->validate_dir() || !$this->validate_require_phpbb() || !$this->validate_require_php()) { return false; } @@ -275,6 +275,16 @@ class metadata_manager return true; } + /** + * Validates the most basic directory structure to ensure it follows <vendor>/<ext> convention. + * + * @return boolean True when passes validation + */ + public function validate_dir() + { + return (substr_count($this->ext_name, '/') === 1 && $this->ext_name == $this->get_metadata('name')); + } + /** * Validates the contents of the phpbb requirement field |