CRM-20906 backport for 4.6

CRM/Admin/Form/Extensions.php

@@ -51,6 +51,10 @@ public function preProcess() {
       $this, FALSE, 0
     );
 
+    if (!CRM_Utils_Type::validate($this->_key, 'ExtensionKey')) {
+      throw new CRM_Core_Exception('Extension Key does not match expected standard');
+    }
+
     $session = CRM_Core_Session::singleton();
     $url = CRM_Utils_System::url('civicrm/admin/extensions', 'reset=1&action=browse');
     $session->pushUserContext($url);

CRM/Utils/Rule.php

@@ -857,4 +857,16 @@ public static function qfKey($key) {
     return ($key) ? CRM_Core_Key::valid($key) : FALSE;
   }
 
+  /**
+   * @param string $key Extension Key to check
+   * @return bool
+   */
+  public static function checkExtensionKeyIsValid($key = NULL) {
+
+    if (!empty($key) && !preg_match('/^[0-9a-zA-Z._-]+$/', $key)) {
+      return FALSE;
+    }
+    return TRUE;
+  }
+
 }

CRM/Utils/Type.php

@@ -417,6 +417,12 @@ public static function validate($data, $type, $abort = TRUE, $name = 'One of par
         }
         break;
 
+      case 'ExtensionKey':
+        if (CRM_Utils_Rule::checkExtensionKeyIsValid($data)) {
+          return $data;
+        }
+        break;
+
       default:
         CRM_Core_Error::fatal("Cannot recognize $type for $data");
         break;

tests/phpunit/CRM/Utils/RuleTest.php

@@ -80,4 +80,24 @@ public function numericDataProvider() {
     );
   }
 
+  /**
+   * @return array
+   */
+  public function extensionKeyTests() {
+    $keys = array();
+    $keys[] = array('org.civicrm.multisite', TRUE);
+    $keys[] = array('au.org.contribute2016', TRUE);
+    $keys[] = array('%3Csvg%20onload=alert(0)%3E', FALSE);
+    return $keys;
+  }
+
+  /**
+   * @param $key
+   * @param $expectedResult
+   * @dataProvider extensionKeyTests
+   */
+  public function testExtensionKeyValid($key, $expectedResult) {
+    $this->assertEquals($expectedResult, CRM_Utils_Rule::checkExtensionKeyIsValid($key));
+  }
+
 }