From 8754ff0406d08e14f4b23688e852cede6597dd2b Mon Sep 17 00:00:00 2001
From: joshuaruesweg <ruesweg@woltlab.com>
Date: Mon, 6 Sep 2021 15:35:31 +0200
Subject: [PATCH] Add validation for the version of excluded packages

See #4149
---
 .../system/package/PackageArchive.class.php    | 18 +++++++++++++++++-
 .../PackageValidationException.class.php       |  6 ++++++
 wcfsetup/install/lang/de.xml                   |  1 +
 wcfsetup/install/lang/en.xml                   |  1 +
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/package/PackageArchive.class.php b/wcfsetup/install/files/lib/system/package/PackageArchive.class.php
index c2edf41300..58a2fab20d 100644
--- a/wcfsetup/install/files/lib/system/package/PackageArchive.class.php
+++ b/wcfsetup/install/files/lib/system/package/PackageArchive.class.php
@@ -329,6 +329,16 @@ class PackageArchive
                 $data[$attribute->name] = $attribute->value;
             }
 
+            if (!isset($data['version']) || !Package::isValidVersion($data['version'])) {
+                throw new PackageValidationException(
+                    PackageValidationException::INVALID_EXCLUDED_PACKAGE_VERSION_NUBMER,
+                    [
+                        'version' => $data['version'] ?? '',
+                        'packageName' => $element->nodeValue,
+                    ]
+                );
+            }
+
             $this->excludedPackages[] = $data;
         }
 
@@ -958,7 +968,13 @@ class PackageArchive
             $statement->execute($conditions->getParameters());
             while ($row = $statement->fetchArray()) {
                 if (!empty($excludedPackages[$row['package']])) {
-                    if (Package::compareVersion($row['packageVersion'], $excludedPackages[$row['package']], '<')) {
+                    if (
+                        Package::compareVersion(
+                            $row['packageVersion'],
+                            $excludedPackages[$row['package']],
+                            '<'
+                        )
+                    ) {
                         continue;
                     }
                     $row['excludedPackageVersion'] = $excludedPackages[$row['package']];
diff --git a/wcfsetup/install/files/lib/system/package/validation/PackageValidationException.class.php b/wcfsetup/install/files/lib/system/package/validation/PackageValidationException.class.php
index 4b7b2780cd..d9354bbc60 100644
--- a/wcfsetup/install/files/lib/system/package/validation/PackageValidationException.class.php
+++ b/wcfsetup/install/files/lib/system/package/validation/PackageValidationException.class.php
@@ -139,6 +139,12 @@ class PackageValidationException extends SystemException
      */
     const DUPLICATE_ABBREVIATION = 18;
 
+    /**
+     * the version of an excluded package is invalid
+     * @var int
+     */
+    const INVALID_EXCLUDED_PACKAGE_VERSION_NUBMER = 19;
+
     /**
      * Creates a new PackageArchiveValidationException.
      *
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index f90d3f81ef..b97367a2a6 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -1949,6 +1949,7 @@ Die Datenbestände werden sorgfältig gepflegt, aber es ist nicht ausgeschlossen
 		<item name="wcf.acp.package.validation.errorCode.16"><![CDATA[Neben der &lt;void/&gt;-Anweisung werden weitere Package Installation Plugins angegeben.]]></item>
 		<item name="wcf.acp.package.validation.errorCode.17"><![CDATA[Die &lt;void/&gt;-Anweisung ist in den Installations-Anweisungen unzulässig.]]></item>
 		<item name="wcf.acp.package.validation.errorCode.18"><![CDATA[Die bereits installierte App „{$application->getPackage()->package}“ verwendet die gleiche App-Abkürzung.]]></item>
+		<item name="wcf.acp.package.validation.errorCode.19"><![CDATA[Die Versionsnummer „{$version}“ des inkompatiblen Paketes „{$packageName}“ ist ungültig.]]></item>
 		<item name="wcf.acp.package.validation.failed"><![CDATA[Das hochgeladene Paket kann nicht installiert werden, bitte {if LANGUAGE_USE_INFORMAL_VARIANT}beachte{else}beachten Sie{/if} das unten stehende Prüfungsergebnis.]]></item>
 		<item name="wcf.acp.package.evaluation.expired"><![CDATA[Die Testphase von <strong>{$packageName}</strong> ist abgelaufen. Bitte aktualisiere{if !LANGUAGE_USE_INFORMAL_VARIANT}n Sie{/if} auf die aktuellste Version um diese Software weiterhin legal betreiben zu können.{if $pluginStoreFileID || $isWoltLab}<br>{if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie können{/if} die aktuelle Version sicher und bequem <strong>{if $pluginStoreFileID}<a href="https://pluginstore.woltlab.com/file/{$pluginStoreFileID}/">im WoltLab Plugin-Store</a>{else}<a href="https://www.woltlab.com/purchase/">auf WoltLab.com</a>{/if}</strong> erwerben.{/if}]]></item>
 		<item name="wcf.acp.package.evaluation.pending"><![CDATA[Bei den folgenden installierten Apps handelt es sich um Testversionen, die am <strong>{$evaluationEndDate|plainTime}</strong> ({@$evaluationEndDate|dateDiff:TIME_NOW:true}) ablaufen. Mit Ablauf der Frist deaktiviert sich die App automatisch, es ist dann notwendig diese auf die endgültige Version zu aktualisieren, um den legalen Betrieb fortzusetzen.
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index 2fbec12d3b..063c251e45 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -1934,6 +1934,7 @@ The database is carefully maintained, but there will be always be a margin of er
 		<item name="wcf.acp.package.validation.errorCode.16"><![CDATA[In addition to the &lt;void/&gt; instruction additional Package Installation Plugins are used.]]></item>
 		<item name="wcf.acp.package.validation.errorCode.17"><![CDATA[The &lt;void/&gt; instruction may not be used in the install-instructions.]]></item>
 		<item name="wcf.acp.package.validation.errorCode.18"><![CDATA[The app “{$application->getPackage()->package}”, which is already installed, uses the same app abbreviation.]]></item>
+		<item name="wcf.acp.package.validation.errorCode.19"><![CDATA[The version “{$version}” of the incompatible package “{$packageName}” is invalid.]]></item>
 		<item name="wcf.acp.package.validation.failed"><![CDATA[The package cannot be installed, please review the validation results below.]]></item>
 		<item name="wcf.acp.package.evaluation.expired"><![CDATA[The evaluation period of <strong>{$packageName}</strong> has expired. For a legal use of this software, please update to the latest available version.{if $pluginStoreFileID || $isWoltLab}<br>The latest version can be purchased quickly and securely <strong>{if $pluginStoreFileID}<a href="https://pluginstore.woltlab.com/file/{$pluginStoreFileID}/">in the WoltLab Plugin-Store</a>{else}<a href="https://www.woltlab.com/purchase/">on WoltLab.com</a>{/if}</strong>.{/if}]]></item>
 		<item name="wcf.acp.package.evaluation.pending"><![CDATA[The evaluation period of the apps listed below will expire on <strong>{$evaluationEndDate|plainTime}</strong> ({@$evaluationEndDate|dateDiff:TIME_NOW:true}). The apps will automatically disable themselves after this date and become unusable, you'll need to install the latest versions of the apps to active them again.
-- 
2.20.1