Sanitize addon path items

This commit is contained in:
Hypolite Petovan 2019-03-31 21:53:08 -04:00
parent b529c03a20
commit cc64471e4c
3 changed files with 33 additions and 22 deletions

View file

@ -6,6 +6,7 @@ namespace Friendica\Core;
use Friendica\BaseObject; use Friendica\BaseObject;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Util\Strings;
/** /**
* Some functions to handle addons * Some functions to handle addons
@ -81,6 +82,8 @@ class Addon extends BaseObject
*/ */
public static function uninstall($addon) public static function uninstall($addon)
{ {
$addon = Strings::sanitizeFilePathItem($addon);
Logger::notice("Addon {addon}: {action}", ['action' => 'uninstall', 'addon' => $addon]); Logger::notice("Addon {addon}: {action}", ['action' => 'uninstall', 'addon' => $addon]);
DBA::delete('addon', ['name' => $addon]); DBA::delete('addon', ['name' => $addon]);
@ -102,11 +105,13 @@ class Addon extends BaseObject
*/ */
public static function install($addon) public static function install($addon)
{ {
// silently fail if addon was removed $addon = Strings::sanitizeFilePathItem($addon);
// silently fail if addon was removed of if $addon is funky
if (!file_exists('addon/' . $addon . '/' . $addon . '.php')) { if (!file_exists('addon/' . $addon . '/' . $addon . '.php')) {
return false; return false;
} }
Logger::notice("Addon {addon}: {action}", ['action' => 'install', 'addon' => $addon]); Logger::notice("Addon {addon}: {action}", ['action' => 'install', 'addon' => $addon]);
$t = @filemtime('addon/' . $addon . '/' . $addon . '.php'); $t = @filemtime('addon/' . $addon . '/' . $addon . '.php');
@include_once('addon/' . $addon . '/' . $addon . '.php'); @include_once('addon/' . $addon . '/' . $addon . '.php');
@ -130,6 +135,7 @@ class Addon extends BaseObject
if (!self::isEnabled($addon)) { if (!self::isEnabled($addon)) {
self::$addons[] = $addon; self::$addons[] = $addon;
} }
return true; return true;
} else { } else {
Logger::error("Addon {addon}: {action} failed", ['action' => 'uninstall', 'addon' => $addon]); Logger::error("Addon {addon}: {action} failed", ['action' => 'uninstall', 'addon' => $addon]);
@ -153,11 +159,9 @@ class Addon extends BaseObject
$addon_list = explode(',', $addons); $addon_list = explode(',', $addons);
if (count($addon_list)) {
foreach ($addon_list as $addon) { foreach ($addon_list as $addon) {
$addon = trim($addon); $addon = Strings::sanitizeFilePathItem(trim($addon));
$fname = 'addon/' . $addon . '/' . $addon . '.php'; $fname = 'addon/' . $addon . '/' . $addon . '.php';
if (file_exists($fname)) { if (file_exists($fname)) {
$t = @filemtime($fname); $t = @filemtime($fname);
foreach ($installed as $i) { foreach ($installed as $i) {
@ -181,7 +185,6 @@ class Addon extends BaseObject
} }
} }
} }
}
/** /**
* @brief Parse addon comment in search of addon infos. * @brief Parse addon comment in search of addon infos.
@ -204,6 +207,8 @@ class Addon extends BaseObject
{ {
$a = self::getApp(); $a = self::getApp();
$addon = Strings::sanitizeFilePathItem($addon);
$info = [ $info = [
'name' => $addon, 'name' => $addon,
'description' => "", 'description' => "",

View file

@ -7,6 +7,7 @@ namespace Friendica\Core;
use Friendica\App; use Friendica\App;
use Friendica\BaseObject; use Friendica\BaseObject;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Util\Strings;
/** /**
* Some functions to handle hooks * Some functions to handle hooks
@ -215,6 +216,8 @@ class Hook extends BaseObject
*/ */
public static function isAddonApp($name) public static function isAddonApp($name)
{ {
$name = Strings::sanitizeFilePathItem($name);
if (array_key_exists('app_menu', self::$hooks)) { if (array_key_exists('app_menu', self::$hooks)) {
foreach (self::$hooks['app_menu'] as $hook) { foreach (self::$hooks['app_menu'] as $hook) {
if ($hook[0] == 'addon/' . $name . '/' . $name . '.php') { if ($hook[0] == 'addon/' . $name . '/' . $name . '.php') {

View file

@ -6,6 +6,7 @@ namespace Friendica\Core;
use Friendica\BaseObject; use Friendica\BaseObject;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Util\Strings;
/** /**
* Provide Language, Translation, and Localization functions to the application * Provide Language, Translation, and Localization functions to the application
@ -193,6 +194,8 @@ class L10n extends BaseObject
*/ */
private static function loadTranslationTable($lang) private static function loadTranslationTable($lang)
{ {
$lang = Strings::sanitizeFilePathItem($lang);
if ($lang === self::$lang) { if ($lang === self::$lang) {
return; return;
} }
@ -203,7 +206,7 @@ class L10n extends BaseObject
// load enabled addons strings // load enabled addons strings
$addons = DBA::select('addon', ['name'], ['installed' => true]); $addons = DBA::select('addon', ['name'], ['installed' => true]);
while ($p = DBA::fetch($addons)) { while ($p = DBA::fetch($addons)) {
$name = $p['name']; $name = Strings::sanitizeFilePathItem($p['name']);
if (file_exists("addon/$name/lang/$lang/strings.php")) { if (file_exists("addon/$name/lang/$lang/strings.php")) {
include "addon/$name/lang/$lang/strings.php"; include "addon/$name/lang/$lang/strings.php";
} }