return Url::parse($this->serverURL)['host'] === 'store.woltlab.com';
}
+ /**
+ * Returns true if this server is trusted and is therefore allowed to distribute
+ * official updates for packages whose identifier starts with "com.woltlab.".
+ *
+ * Internal mirrors in enterprise environments are supported through the optional
+ * PHP constant `UPDATE_SERVER_TRUSTED_MIRROR`, adding it to the `config.inc.php`
+ * of the Core is considered to be a safe practice.
+ *
+ * Example:
+ * define('UPDATE_SERVER_TRUSTED_MIRROR', 'mirror.example.com');
+ *
+ * @return boolean
+ */
+ public final function isTrustedServer() {
+ $host = Url::parse($this->serverURL)['host'];
+
+ // the official server is always considered to be trusted
+ if ($host === 'update.woltlab.com') {
+ return true;
+ }
+
+ // custom override to allow testing and mirrors in enterprise environments
+ if (defined('UPDATE_SERVER_TRUSTED_MIRROR') && $host === UPDATE_SERVER_TRUSTED_MIRROR) {
+ return true;
+ }
+
+ return false;
+ }
+
/**
* Resets all update servers into their original state and purges
* the package cache.
* @throws SystemException
*/
protected function parsePackageUpdateXML(PackageUpdateServer $updateServer, $content, $apiVersion) {
+ $isTrustedServer = $updateServer->isTrustedServer();
+
// load xml document
$xml = new XML();
$xml->loadXML('packageUpdateServer.xml', $content);
throw new SystemException("'".$package->getAttribute('name')."' is not a valid package name.");
}
- $allNewPackages[$package->getAttribute('name')] = $this->parsePackageUpdateXMLBlock($updateServer, $xpath, $package, $apiVersion);
+ $name = $package->getAttribute('name');
+ if (strpos($name, 'com.woltlab.') === 0 && !$isTrustedServer) {
+ if (ENABLE_DEBUG_MODE && ENABLE_DEVELOPER_TOOLS) {
+ throw new SystemException("The server '".$updateServer->serverURL."' attempted to provide an official WoltLab package, but is not authorized.");
+ }
+
+ // silently ignore this package to avoid unexpected errors for regular users
+ continue;
+ }
+
+ $allNewPackages[$name] = $this->parsePackageUpdateXMLBlock($updateServer, $xpath, $package, $apiVersion);
}
return $allNewPackages;