From eb1f573e7ddf8ac96baa80132284e1efc7c9659d Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Tue, 28 Jun 2022 13:06:20 +0200
Subject: [PATCH] Guarantee integrity of packages downloaded via a Plugin-Store
 StoreCode
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

The package system was unaware of the context of an installation request and permitted the download from unintended package servers.

This can cause the download to be initiated from a different server than the user expected, potentially causing the download of a modified version.

This commit fixes this issue by restricting the package sources to official servers only when the download via the Plugin-Storeâs StoreCode is requested.
---
 .../Core/Acp/Ui/Package/QuickInstallation.ts  |  1 +
 .../Core/Acp/Ui/Package/QuickInstallation.js  |  1 +
 .../update/PackageUpdateAction.class.php      |  5 +++++
 .../server/PackageUpdateServer.class.php      | 20 +++++++++++++++++++
 4 files changed, 27 insertions(+)
diff --git a/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts b/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts
index fe498f1b5b..48c0f7f601 100644
--- a/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts
+++ b/ts/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.ts
@@ -73,6 +73,7 @@ async function prepareInstallation(data: InstallationCode): Promise<void> {
         username: data.username,
         password: data.password,
         saveCredentials: false,
+        isStoreCode: true,
       },
     })
     .dispatch()) as Response;
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js
index e29ab61147..6724520a68 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Acp/Ui/Package/QuickInstallation.js
@@ -51,6 +51,7 @@ define(["require", "exports", "tslib", "../../../Ajax", "../../../Core", "../../
                 username: data.username,
                 password: data.password,
                 saveCredentials: false,
+                isStoreCode: true,
             },
         })
             .dispatch());
diff --git a/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php b/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
index 048a36bb41..e74110705c 100644
--- a/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
@@ -699,6 +699,7 @@ class PackageUpdateAction extends AbstractDatabaseObjectAction
             $this->readString('password', false, 'authData');
             $this->readString('username', false, 'authData');
             $this->readBoolean('saveCredentials', true, 'authData');
+            $this->readBoolean('isStoreCode', true, 'authData');
         }
     }
 
@@ -744,6 +745,10 @@ class PackageUpdateAction extends AbstractDatabaseObjectAction
                 $this->parameters['authData']['password'],
                 $this->parameters['authData']['saveCredentials']
             );
+
+            if ($this->parameters['authData']['isStoreCode']) {
+                PackageUpdateServer::enableSecureMode();
+            }
         }
 
         $scheduler = new PackageInstallationScheduler($this->parameters['packages']);
diff --git a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
index ab0cd7c8ab..118f3559a1 100644
--- a/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
+++ b/wcfsetup/install/files/lib/data/package/update/server/PackageUpdateServer.class.php
@@ -42,6 +42,13 @@ class PackageUpdateServer extends DatabaseObject
      */
     protected $metaData = [];
 
+    /**
+     * Restricts the package server selection to include only
+     * official package servers in case a secure download is
+     * requested.
+     */
+    private static $secureMode = false;
+
     /**
      * @inheritDoc
      */
@@ -100,6 +107,10 @@ class PackageUpdateServer extends DatabaseObject
                 $woltlabStoreServer = $packageServer;
             } elseif ($packageServer->isDisabled) {
                 continue;
+            } elseif (self::$secureMode) {
+                // Skip any unofficial servers when the secure mode
+                // was requested.
+                continue;
             }
 
             $results[$packageServer->packageUpdateServerID] = $packageServer;
@@ -141,6 +152,15 @@ class PackageUpdateServer extends DatabaseObject
         return \current($pluginStoreServer);
     }
 
+    /**
+     * Restricts the available sources to official package
+     * servers when a secure download is requested.
+     */
+    final public static function enableSecureMode(): void
+    {
+        self::$secureMode = true;
+    }
+
     /**
      * Returns true if the given server url is valid.
      *
-- 
2.20.1

