From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Fri, 18 Nov 2022 09:41:54 +0000 (+0100)
Subject: Fix downgrade prevention in PackageValidationArchive
X-Git-Tag: 6.0.0_Alpha_1~699^2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3aee45351c1c5584da3864635b0cfa25225ff3dc;p=GitHub%2FWoltLab%2FWCF.git

Fix downgrade prevention in PackageValidationArchive

This regressed in 5590bc1425b03e1f8d91610b7d3c52ccccb7d338, because
`PackageArchive::isValidUpdate()` checked not just the existence of the
instructions, but also the version numbers.

In practice this regression is only visible for wildcard update instructions,
because otherwise a valid instruction will simply not exist.
---

diff --git a/wcfsetup/install/files/lib/system/package/validation/PackageValidationArchive.class.php b/wcfsetup/install/files/lib/system/package/validation/PackageValidationArchive.class.php
index 88556b49ee..12d87cc07d 100644
--- a/wcfsetup/install/files/lib/system/package/validation/PackageValidationArchive.class.php
+++ b/wcfsetup/install/files/lib/system/package/validation/PackageValidationArchive.class.php
@@ -233,23 +233,21 @@ final class PackageValidationArchive implements \RecursiveIterator
             }
         } else {
             // package is already installed, check update path
+            $deliveredPackageVersion = $this->archive->getPackageInfo('version');
+            if (Package::compareVersion($package->packageVersion, $deliveredPackageVersion, '>=')) {
+                throw new PackageValidationException(PackageValidationException::ALREADY_INSTALLED, [
+                    'packageName' => $package->packageName,
+                    'packageVersion' => $package->packageVersion,
+                ]);
+            }
+
             $instructions = $this->archive->getUpdateInstructionsFor($package->packageVersion);
             if ($instructions === null) {
-                $deliveredPackageVersion = $this->archive->getPackageInfo('version');
-
-                // check if the package is already installed with the same exact version
-                if ($package->packageVersion === $deliveredPackageVersion) {
-                    throw new PackageValidationException(PackageValidationException::ALREADY_INSTALLED, [
-                        'packageName' => $package->packageName,
-                        'packageVersion' => $package->packageVersion,
-                    ]);
-                } else {
-                    throw new PackageValidationException(PackageValidationException::NO_UPDATE_PATH, [
-                        'packageName' => $package->packageName,
-                        'packageVersion' => $package->packageVersion,
-                        'deliveredPackageVersion' => $deliveredPackageVersion,
-                    ]);
-                }
+                throw new PackageValidationException(PackageValidationException::NO_UPDATE_PATH, [
+                    'packageName' => $package->packageName,
+                    'packageVersion' => $package->packageVersion,
+                    'deliveredPackageVersion' => $deliveredPackageVersion,
+                ]);
             }
 
             if ($validationMode === PackageValidationManager::VALIDATION_RECURSIVE) {