Guarantee integrity of packages downloaded via a Plugin-Store StoreCode

The package system was unaware of the context of an installation request and permitted the download from unintended package servers.

This can cause the download to be initiated from a different server than the user expected, potentially causing the download of a modified version.

This commit fixes this issue by restricting the package sources to official servers only when the download via the Plugin-Store‘s StoreCode is requested.

diff --git a/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts b/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts
index fe498f1b5b15fd5c18cb9bfc6c9c0eca20ee782f..48c0f7f6016a2d0e546de902199a7e2bc5c2b568 100644 (file)
--- a/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts
+++ b/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts
@@ -73,6 +73,7 @@ async function prepareInstallation(data: InstallationCode): Promise<void> {
         username: data.username,
         password: data.password,
         saveCredentials: false,
+        isStoreCode: true,
       },
     })
     .dispatch()) as Response;

diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js
index e29ab611470451992e6f8df4eaf7139eeaff7c46..6724520a68b5131625c3690f86344bb8e83fa799 100644 (file)
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js
@@ -51,6 +51,7 @@ define(["require", "exports", "tslib", "../../../Ajax", "../../../Core", "../../
                 username: data.username,
                 password: data.password,
                 saveCredentials: false,
+                isStoreCode: true,
             },
         })
             .dispatch());

diff --git a/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php b/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
index 048a36bb4156de5fed576c6712693ff23a2b2e95..e74110705cef9949dd9da58d3e8f3d107c721e52 100644 (file)
--- a/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
@@ -699,6 +699,7 @@ class PackageUpdateAction extends AbstractDatabaseObjectAction
             $this->readString('password', false, 'authData');
             $this->readString('username', false, 'authData');
             $this->readBoolean('saveCredentials', true, 'authData');
+            $this->readBoolean('isStoreCode', true, 'authData');
         }
     }
 
@@ -744,6 +745,10 @@ class PackageUpdateAction extends AbstractDatabaseObjectAction
                 $this->parameters['authData']['password'],
                 $this->parameters['authData']['saveCredentials']
             );
+
+            if ($this->parameters['authData']['isStoreCode']) {
+                PackageUpdateServer::enableSecureMode();
+            }
         }
 
         $scheduler = new PackageInstallationScheduler($this->parameters['packages']);

diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
index ab0cd7c8ab8c2001fcfae497e2756a789478bc05..118f3559a1a34744509225e21e7b8c220427f73a 100644 (file)
--- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
@@ -42,6 +42,13 @@ class PackageUpdateServer extends DatabaseObject
      */
     protected $metaData = [];
 
+    /**
+     * Restricts the package server selection to include only
+     * official package servers in case a secure download is
+     * requested.
+     */
+    private static $secureMode = false;
+
     /**
      * @inheritDoc
      */
@@ -100,6 +107,10 @@ class PackageUpdateServer extends DatabaseObject
                 $woltlabStoreServer = $packageServer;
             } elseif ($packageServer->isDisabled) {
                 continue;
+            } elseif (self::$secureMode) {
+                // Skip any unofficial servers when the secure mode
+                // was requested.
+                continue;
             }
 
             $results[$packageServer->packageUpdateServerID] = $packageServer;
@@ -141,6 +152,15 @@ class PackageUpdateServer extends DatabaseObject
         return \current($pluginStoreServer);
     }
 
+    /**
+     * Restricts the available sources to official package
+     * servers when a secure download is requested.
+     */
+    final public static function enableSecureMode(): void
+    {
+        self::$secureMode = true;
+    }
+
     /**
      * Returns true if the given server url is valid.
      *