Allow updates for official packages from trusted origins only

diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
index 4187bfe410f2f71726f3dc65a9e6991ab27ae98a..826ebc90962642be3056155f8cdfea4a8523a7c6 100644 (file)
--- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
@@ -240,6 +240,35 @@ class PackageUpdateServer extends DatabaseObject {
                return Url::parse($this->serverURL)['host'] === 'store.woltlab.com';
        }
        
+       /**
+        * Returns true if this server is trusted and is therefore allowed to distribute
+        * official updates for packages whose identifier starts with "com.woltlab.".
+        * 
+        * Internal mirrors in enterprise environments are supported through the optional
+        * PHP constant `UPDATE_SERVER_TRUSTED_MIRROR`, adding it to the `config.inc.php`
+        * of the Core is considered to be a safe practice.
+        * 
+        * Example:
+        *   define('UPDATE_SERVER_TRUSTED_MIRROR', 'mirror.example.com');
+        * 
+        * @return      boolean
+        */
+       public final function isTrustedServer() {
+               $host = Url::parse($this->serverURL)['host'];
+               
+               // the official server is always considered to be trusted
+               if ($host === 'update.woltlab.com') {
+                       return true;
+               }
+               
+               // custom override to allow testing and mirrors in enterprise environments
+               if (defined('UPDATE_SERVER_TRUSTED_MIRROR') && $host === UPDATE_SERVER_TRUSTED_MIRROR) {
+                       return true;
+               }
+               
+               return false;
+       }
+       
        /**
         * Resets all update servers into their original state and purges
         * the package cache.

diff --git a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php
index cab9339c9a207a0f2b36df9f83302b4eb5c13b33..fa814a6e4a261c6301f05c967352f8467d4ee27d 100644 (file)
--- a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php
+++ b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php
@@ -249,6 +249,8 @@ class PackageUpdateDispatcher extends SingletonFactory {
         * @throws      SystemException
         */
        protected function parsePackageUpdateXML(PackageUpdateServer $updateServer, $content, $apiVersion) {
+               $isTrustedServer = $updateServer->isTrustedServer();
+               
                // load xml document
                $xml = new XML();
                $xml->loadXML('packageUpdateServer.xml', $content);
@@ -262,7 +264,17 @@ class PackageUpdateDispatcher extends SingletonFactory {
                                throw new SystemException("'".$package->getAttribute('name')."' is not a valid package name.");
                        }
                        
-                       $allNewPackages[$package->getAttribute('name')] = $this->parsePackageUpdateXMLBlock($updateServer, $xpath, $package, $apiVersion);
+                       $name = $package->getAttribute('name');
+                       if (strpos($name, 'com.woltlab.') === 0 && !$isTrustedServer) {
+                               if (ENABLE_DEBUG_MODE && ENABLE_DEVELOPER_TOOLS) {
+                                       throw new SystemException("The server '".$updateServer->serverURL."' attempted to provide an official WoltLab package, but is not authorized.");
+                               }
+                               
+                               // silently ignore this package to avoid unexpected errors for regular users
+                               continue;
+                       }
+                       
+                       $allNewPackages[$name] = $this->parsePackageUpdateXMLBlock($updateServer, $xpath, $package, $apiVersion);
                }
                
                return $allNewPackages;