From cc64471e4c4cbda6f79c50ca784d0b927a45a6a5 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 31 Mar 2019 21:53:08 -0400 Subject: [PATCH] Sanitize addon path items --- src/Core/Addon.php | 47 +++++++++++++++++++++++++--------------------- src/Core/Hook.php | 3 +++ src/Core/L10n.php | 5 ++++- 3 files changed, 33 insertions(+), 22 deletions(-) diff --git a/src/Core/Addon.php b/src/Core/Addon.php index 7957e08350..06a731b2cd 100644 --- a/src/Core/Addon.php +++ b/src/Core/Addon.php @@ -6,6 +6,7 @@ namespace Friendica\Core; use Friendica\BaseObject; use Friendica\Database\DBA; +use Friendica\Util\Strings; /** * Some functions to handle addons @@ -81,6 +82,8 @@ class Addon extends BaseObject */ public static function uninstall($addon) { + $addon = Strings::sanitizeFilePathItem($addon); + Logger::notice("Addon {addon}: {action}", ['action' => 'uninstall', 'addon' => $addon]); DBA::delete('addon', ['name' => $addon]); @@ -102,11 +105,13 @@ class Addon extends BaseObject */ public static function install($addon) { - // silently fail if addon was removed + $addon = Strings::sanitizeFilePathItem($addon); + // silently fail if addon was removed of if $addon is funky if (!file_exists('addon/' . $addon . '/' . $addon . '.php')) { return false; } + Logger::notice("Addon {addon}: {action}", ['action' => 'install', 'addon' => $addon]); $t = @filemtime('addon/' . $addon . '/' . $addon . '.php'); @include_once('addon/' . $addon . '/' . $addon . '.php'); @@ -130,6 +135,7 @@ class Addon extends BaseObject if (!self::isEnabled($addon)) { self::$addons[] = $addon; } + return true; } else { Logger::error("Addon {addon}: {action} failed", ['action' => 'uninstall', 'addon' => $addon]); @@ -153,29 +159,26 @@ class Addon extends BaseObject $addon_list = explode(',', $addons); - if (count($addon_list)) { - foreach ($addon_list as $addon) { - $addon = trim($addon); - $fname = 'addon/' . $addon . '/' . $addon . '.php'; + foreach ($addon_list as $addon) { + $addon = Strings::sanitizeFilePathItem(trim($addon)); + $fname = 'addon/' . $addon . '/' . $addon . '.php'; + if (file_exists($fname)) { + $t = @filemtime($fname); + foreach ($installed as $i) { + if (($i['name'] == $addon) && ($i['timestamp'] != $t)) { - if (file_exists($fname)) { - $t = @filemtime($fname); - foreach ($installed as $i) { - if (($i['name'] == $addon) && ($i['timestamp'] != $t)) { + Logger::notice("Addon {addon}: {action}", ['action' => 'reload', 'addon' => $i['name']]); + @include_once($fname); - Logger::notice("Addon {addon}: {action}", ['action' => 'reload', 'addon' => $i['name']]); - @include_once($fname); - - if (function_exists($addon . '_uninstall')) { - $func = $addon . '_uninstall'; - $func(self::getApp()); - } - if (function_exists($addon . '_install')) { - $func = $addon . '_install'; - $func(self::getApp()); - } - DBA::update('addon', ['timestamp' => $t], ['id' => $i['id']]); + if (function_exists($addon . '_uninstall')) { + $func = $addon . '_uninstall'; + $func(self::getApp()); } + if (function_exists($addon . '_install')) { + $func = $addon . '_install'; + $func(self::getApp()); + } + DBA::update('addon', ['timestamp' => $t], ['id' => $i['id']]); } } } @@ -204,6 +207,8 @@ class Addon extends BaseObject { $a = self::getApp(); + $addon = Strings::sanitizeFilePathItem($addon); + $info = [ 'name' => $addon, 'description' => "", diff --git a/src/Core/Hook.php b/src/Core/Hook.php index 7f0c015b3d..5caa543194 100644 --- a/src/Core/Hook.php +++ b/src/Core/Hook.php @@ -7,6 +7,7 @@ namespace Friendica\Core; use Friendica\App; use Friendica\BaseObject; use Friendica\Database\DBA; +use Friendica\Util\Strings; /** * Some functions to handle hooks @@ -215,6 +216,8 @@ class Hook extends BaseObject */ public static function isAddonApp($name) { + $name = Strings::sanitizeFilePathItem($name); + if (array_key_exists('app_menu', self::$hooks)) { foreach (self::$hooks['app_menu'] as $hook) { if ($hook[0] == 'addon/' . $name . '/' . $name . '.php') { diff --git a/src/Core/L10n.php b/src/Core/L10n.php index f7ed9918ce..ae0ed18c3d 100644 --- a/src/Core/L10n.php +++ b/src/Core/L10n.php @@ -6,6 +6,7 @@ namespace Friendica\Core; use Friendica\BaseObject; use Friendica\Database\DBA; +use Friendica\Util\Strings; /** * Provide Language, Translation, and Localization functions to the application @@ -193,6 +194,8 @@ class L10n extends BaseObject */ private static function loadTranslationTable($lang) { + $lang = Strings::sanitizeFilePathItem($lang); + if ($lang === self::$lang) { return; } @@ -203,7 +206,7 @@ class L10n extends BaseObject // load enabled addons strings $addons = DBA::select('addon', ['name'], ['installed' => true]); while ($p = DBA::fetch($addons)) { - $name = $p['name']; + $name = Strings::sanitizeFilePathItem($p['name']); if (file_exists("addon/$name/lang/$lang/strings.php")) { include "addon/$name/lang/$lang/strings.php"; }