From 9e8bcd5f2ba2246ad2dff46d0313cb0c9e9f5579 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 10 Dec 2013 15:56:06 +0100 Subject: fix possible XSS vulnerability in Plugin Manager The plugin manager echos raw URLs in error messages, this could allow to construct an XSS attack. However the affected form is CSRF protected, so an attacker would require another XSS vulnerability to get the needed token, rendering this attack unneeded. So this should not be exploitable. --- lib/plugins/plugin/classes/ap_download.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/plugin/classes/ap_download.class.php') diff --git a/lib/plugins/plugin/classes/ap_download.class.php b/lib/plugins/plugin/classes/ap_download.class.php index 3cc455867..b1be11506 100644 --- a/lib/plugins/plugin/classes/ap_download.class.php +++ b/lib/plugins/plugin/classes/ap_download.class.php @@ -24,7 +24,7 @@ class ap_download extends ap_manage { ptln('

'.$this->lang['downloading'].'

'); if ($this->manager->error) { - ptln('
'.str_replace("\n","
",$this->manager->error).'
'); + ptln('
'.str_replace("\n","
",hsc($this->manager->error)).'
'); } else if (count($this->downloaded) == 1) { ptln('

'.sprintf($this->lang['downloaded'],$this->downloaded[0]).'

'); } else if (count($this->downloaded)) { // more than one plugin in the download -- cgit v1.2.3 From 9672d9f3bf51a5b383078874035796c6ac776eb1 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 5 Jan 2014 20:58:48 +0100 Subject: removed the old plugin manager --- lib/plugins/plugin/classes/ap_download.class.php | 288 ----------------------- 1 file changed, 288 deletions(-) delete mode 100644 lib/plugins/plugin/classes/ap_download.class.php (limited to 'lib/plugins/plugin/classes/ap_download.class.php') diff --git a/lib/plugins/plugin/classes/ap_download.class.php b/lib/plugins/plugin/classes/ap_download.class.php deleted file mode 100644 index b1be11506..000000000 --- a/lib/plugins/plugin/classes/ap_download.class.php +++ /dev/null @@ -1,288 +0,0 @@ -str('url'); - $this->download($plugin_url, $this->overwrite); - return ''; - } - - /** - * Print results of the download - */ - function html() { - parent::html(); - - ptln('
'); - ptln('

'.$this->lang['downloading'].'

'); - - if ($this->manager->error) { - ptln('
'.str_replace("\n","
",hsc($this->manager->error)).'
'); - } else if (count($this->downloaded) == 1) { - ptln('

'.sprintf($this->lang['downloaded'],$this->downloaded[0]).'

'); - } else if (count($this->downloaded)) { // more than one plugin in the download - ptln('

'.$this->lang['downloads'].'

'); - ptln('
    '); - foreach ($this->downloaded as $plugin) { - ptln('
  • '.$plugin.'
    • ',2); - } - ptln('
'); - } else { // none found in download - ptln('

'.$this->lang['download_none'].'

'); - } - ptln('
'); - } - - /** - * Process the downloaded file - */ - function download($url, $overwrite=false) { - // check the url - $matches = array(); - if (!preg_match("/[^\/]*$/", $url, $matches) || !$matches[0]) { - $this->manager->error = $this->lang['error_badurl']."\n"; - return false; - } - - $file = $matches[0]; - - if (!($tmp = io_mktmpdir())) { - $this->manager->error = $this->lang['error_dircreate']."\n"; - return false; - } - - if (!$file = io_download($url, "$tmp/", true, $file, 0)) { - $this->manager->error = sprintf($this->lang['error_download'],$url)."\n"; - } - - if (!$this->manager->error && !$this->decompress("$tmp/$file", $tmp)) { - $this->manager->error = sprintf($this->lang['error_decompress'],$file)."\n"; - } - - // search $tmp for the folder(s) that has been created - // move the folder(s) to lib/plugins/ - if (!$this->manager->error) { - $result = array('old'=>array(), 'new'=>array()); - if($this->find_folders($result,$tmp)){ - // choose correct result array - if(count($result['new'])){ - $install = $result['new']; - }else{ - $install = $result['old']; - } - - // now install all found items - foreach($install as $item){ - // where to install? - if($item['type'] == 'template'){ - $target = DOKU_INC.'lib/tpl/'.$item['base']; - }else{ - $target = DOKU_INC.'lib/plugins/'.$item['base']; - } - - // check to make sure we aren't overwriting anything - if (!$overwrite && @file_exists($target)) { - // remember our settings, ask the user to confirm overwrite, FIXME - continue; - } - - $instruction = @file_exists($target) ? 'update' : 'install'; - - // copy action - if ($this->dircopy($item['tmp'], $target)) { - $this->downloaded[] = $item['base']; - $this->plugin_writelog($target, $instruction, array($url)); - } else { - $this->manager->error .= sprintf($this->lang['error_copy']."\n", $item['base']); - } - } - - } else { - $this->manager->error = $this->lang['error']."\n"; - } - } - - // cleanup - if ($tmp) $this->dir_delete($tmp); - - if (!$this->manager->error) { - msg(sprintf($this->lang['packageinstalled'], count($this->downloaded), join(',',$this->downloaded)),1); - $this->refresh(); - return true; - } - - return false; - } - - /** - * Find out what was in the extracted directory - * - * Correct folders are searched recursively using the "*.info.txt" configs - * as indicator for a root folder. When such a file is found, it's base - * setting is used (when set). All folders found by this method are stored - * in the 'new' key of the $result array. - * - * For backwards compatibility all found top level folders are stored as - * in the 'old' key of the $result array. - * - * When no items are found in 'new' the copy mechanism should fall back - * the 'old' list. - * - * @author Andreas Gohr - * @param arrayref $result - results are stored here - * @param string $base - the temp directory where the package was unpacked to - * @param string $dir - a subdirectory. do not set. used by recursion - * @return bool - false on error - */ - function find_folders(&$result,$base,$dir=''){ - $dh = @opendir("$base/$dir"); - if(!$dh) return false; - while (false !== ($f = readdir($dh))) { - if ($f == '.' || $f == '..' || $f == 'tmp') continue; - - if(!is_dir("$base/$dir/$f")){ - // it's a file -> check for config - if($f == 'plugin.info.txt'){ - $info = array(); - $info['type'] = 'plugin'; - $info['tmp'] = "$base/$dir"; - $conf = confToHash("$base/$dir/$f"); - $info['base'] = utf8_basename($conf['base']); - if(!$info['base']) $info['base'] = utf8_basename("$base/$dir"); - $result['new'][] = $info; - }elseif($f == 'template.info.txt'){ - $info = array(); - $info['type'] = 'template'; - $info['tmp'] = "$base/$dir"; - $conf = confToHash("$base/$dir/$f"); - $info['base'] = utf8_basename($conf['base']); - if(!$info['base']) $info['base'] = utf8_basename("$base/$dir"); - $result['new'][] = $info; - } - }else{ - // it's a directory -> add to dir list for old method, then recurse - if(!$dir){ - $info = array(); - $info['type'] = 'plugin'; - $info['tmp'] = "$base/$dir/$f"; - $info['base'] = $f; - $result['old'][] = $info; - } - $this->find_folders($result,$base,"$dir/$f"); - } - } - closedir($dh); - return true; - } - - - /** - * Decompress a given file to the given target directory - * - * Determines the compression type from the file extension - */ - function decompress($file, $target) { - global $conf; - - // decompression library doesn't like target folders ending in "/" - if (substr($target, -1) == "/") $target = substr($target, 0, -1); - - $ext = $this->guess_archive($file); - if (in_array($ext, array('tar','bz','gz'))) { - switch($ext){ - case 'bz': - $compress_type = Tar::COMPRESS_BZIP; - break; - case 'gz': - $compress_type = Tar::COMPRESS_GZIP; - break; - default: - $compress_type = Tar::COMPRESS_NONE; - } - - $tar = new Tar(); - try { - $tar->open($file, $compress_type); - $tar->extract($target); - return true; - }catch(Exception $e){ - if($conf['allowdebug']){ - msg('Tar Error: '.$e->getMessage().' ['.$e->getFile().':'.$e->getLine().']',-1); - } - return false; - } - } else if ($ext == 'zip') { - - $zip = new ZipLib(); - $ok = $zip->Extract($file, $target); - - // FIXME sort something out for handling zip error messages meaningfully - return ($ok==-1?false:true); - - } - - // unsupported file type - return false; - } - - /** - * Determine the archive type of the given file - * - * Reads the first magic bytes of the given file for content type guessing, - * if neither bz, gz or zip are recognized, tar is assumed. - * - * @author Andreas Gohr - * @returns boolean|string false if the file can't be read, otherwise an "extension" - */ - function guess_archive($file){ - $fh = fopen($file,'rb'); - if(!$fh) return false; - $magic = fread($fh,5); - fclose($fh); - - if(strpos($magic,"\x42\x5a") === 0) return 'bz'; - if(strpos($magic,"\x1f\x8b") === 0) return 'gz'; - if(strpos($magic,"\x50\x4b\x03\x04") === 0) return 'zip'; - return 'tar'; - } - - /** - * Copy with recursive sub-directory support - */ - function dircopy($src, $dst) { - global $conf; - - if (is_dir($src)) { - if (!$dh = @opendir($src)) return false; - - if ($ok = io_mkdir_p($dst)) { - while ($ok && (false !== ($f = readdir($dh)))) { - if ($f == '..' || $f == '.') continue; - $ok = $this->dircopy("$src/$f", "$dst/$f"); - } - } - - closedir($dh); - return $ok; - - } else { - $exists = @file_exists($dst); - - if (!@copy($src,$dst)) return false; - if (!$exists && !empty($conf['fperm'])) chmod($dst, $conf['fperm']); - @touch($dst,filemtime($src)); - } - - return true; - } - - -} - -- cgit v1.2.3