From 1ad739cd8fcfe95e834b84e77ce8b51032051df5 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Wed, 14 Feb 2018 16:55:18 +0100 Subject: [PATCH] Allow updates for official packages from trusted origins only --- .../server/PackageUpdateServer.class.php | 29 +++++++++++++++++++ .../package/PackageUpdateDispatcher.class.php | 14 ++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php index 4187bfe410..826ebc9096 100644 --- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php +++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php @@ -240,6 +240,35 @@ class PackageUpdateServer extends DatabaseObject { return Url::parse($this->serverURL)['host'] === 'store.woltlab.com'; } + /** + * Returns true if this server is trusted and is therefore allowed to distribute + * official updates for packages whose identifier starts with "com.woltlab.". + * + * Internal mirrors in enterprise environments are supported through the optional + * PHP constant `UPDATE_SERVER_TRUSTED_MIRROR`, adding it to the `config.inc.php` + * of the Core is considered to be a safe practice. + * + * Example: + * define('UPDATE_SERVER_TRUSTED_MIRROR', 'mirror.example.com'); + * + * @return boolean + */ + public final function isTrustedServer() { + $host = Url::parse($this->serverURL)['host']; + + // the official server is always considered to be trusted + if ($host === 'update.woltlab.com') { + return true; + } + + // custom override to allow testing and mirrors in enterprise environments + if (defined('UPDATE_SERVER_TRUSTED_MIRROR') && $host === UPDATE_SERVER_TRUSTED_MIRROR) { + return true; + } + + return false; + } + /** * Resets all update servers into their original state and purges * the package cache. diff --git a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php index cab9339c9a..fa814a6e4a 100644 --- a/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php +++ b/wcfsetup/install/files/lib/system/package/PackageUpdateDispatcher.class.php @@ -249,6 +249,8 @@ class PackageUpdateDispatcher extends SingletonFactory { * @throws SystemException */ protected function parsePackageUpdateXML(PackageUpdateServer $updateServer, $content, $apiVersion) { + $isTrustedServer = $updateServer->isTrustedServer(); + // load xml document $xml = new XML(); $xml->loadXML('packageUpdateServer.xml', $content); @@ -262,7 +264,17 @@ class PackageUpdateDispatcher extends SingletonFactory { throw new SystemException("'".$package->getAttribute('name')."' is not a valid package name."); } - $allNewPackages[$package->getAttribute('name')] = $this->parsePackageUpdateXMLBlock($updateServer, $xpath, $package, $apiVersion); + $name = $package->getAttribute('name'); + if (strpos($name, 'com.woltlab.') === 0 && !$isTrustedServer) { + if (ENABLE_DEBUG_MODE && ENABLE_DEVELOPER_TOOLS) { + throw new SystemException("The server '".$updateServer->serverURL."' attempted to provide an official WoltLab package, but is not authorized."); + } + + // silently ignore this package to avoid unexpected errors for regular users + continue; + } + + $allNewPackages[$name] = $this->parsePackageUpdateXMLBlock($updateServer, $xpath, $package, $apiVersion); } return $allNewPackages; -- 2.20.1