From 1527356b1e2cd54f21bbe4da4f6783f11d0415f8 Mon Sep 17 00:00:00 2001
From: "Nicholas K. Dionysopoulos" <nicholas@akeebabackup.com>
Date: Wed, 25 Feb 2015 17:18:15 +0200
Subject: [PATCH 1/3] Fix #6173

JFile::upload was missing the fourth argument, resulting in file content scanning for ZIP file per the default options. Since installation package ZIP files may contain uncompressed .php files OR otherwise the string literals `<?` and `<?php` the upload was rejected. However, installation packages are *supposed* to contain executable code, therefore we should not pass them through the safe file (UploadShield) code.

 Moreover, this patch adds an optional fifth parameter to JFile::upload to allow developers to pass custom options to the safe file scanning (UploadShield) code, as was the original intention of the UploadShield feature when it was committed two years ago but lost during the refactoring for inclusion in Joomla! 3.4.

 Finally, the docblock for isSafeFile was reformatted for improved clarity of the parameters which can be passed to UploadShield.
---
 .../components/com_installer/models/install.php   |  2 +-
 libraries/joomla/filesystem/file.php              | 11 ++++++-----
 libraries/joomla/filter/input.php                 | 15 ++++++++-------
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/administrator/components/com_installer/models/install.php b/administrator/components/com_installer/models/install.php
index f85abe75e14bd..f7493b53ffadc 100644
--- a/administrator/components/com_installer/models/install.php
+++ b/administrator/components/com_installer/models/install.php
@@ -258,7 +258,7 @@ protected function _getPackageFromUpload()
 
 		// Move uploaded file.
 		jimport('joomla.filesystem.file');
-		JFile::upload($tmp_src, $tmp_dest);
+		JFile::upload($tmp_src, $tmp_dest, false, true);
 
 		// Unpack the downloaded package file.
 		$package = JInstallerHelper::unpack($tmp_dest, true);
diff --git a/libraries/joomla/filesystem/file.php b/libraries/joomla/filesystem/file.php
index 099dc5ef820b1..3c82e33cf02ad 100644
--- a/libraries/joomla/filesystem/file.php
+++ b/libraries/joomla/filesystem/file.php
@@ -440,16 +440,17 @@ public static function write($file, &$buffer, $use_streams = false)
 	/**
 	 * Moves an uploaded file to a destination folder
 	 *
-	 * @param   string   $src           The name of the php (temporary) uploaded file
-	 * @param   string   $dest          The path (including filename) to move the uploaded file to
-	 * @param   boolean  $use_streams   True to use streams
-	 * @param   boolean  $allow_unsafe  Allow the upload of unsafe files
+	 * @param   string   $src              The name of the php (temporary) uploaded file
+	 * @param   string   $dest             The path (including filename) to move the uploaded file to
+	 * @param   boolean  $use_streams      True to use streams
+	 * @param   boolean  $allow_unsafe     Allow the upload of unsafe files
+	 * @param   boolean  $safeFileOptions  Options to JFilterInput::isSafeFile
 	 *
 	 * @return  boolean  True on success
 	 *
 	 * @since   11.1
 	 */
-	public static function upload($src, $dest, $use_streams = false, $allow_unsafe = false)
+	public static function upload($src, $dest, $use_streams = false, $allow_unsafe = false, $safeFileOptions = array())
 	{
 		if (!$allow_unsafe)
 		{
diff --git a/libraries/joomla/filter/input.php b/libraries/joomla/filter/input.php
index 3826ba3d9c975..17a663049a5f8 100644
--- a/libraries/joomla/filter/input.php
+++ b/libraries/joomla/filter/input.php
@@ -327,13 +327,14 @@ public static function checkAttribute($attrSubSet)
 	 * Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt.
 	 *
 	 * The options you can define are:
-	 * null_byte Prevent files with a null byte in their name (buffer overflow attack)
-	 * forbidden_extensions Do not allow these strings anywhere in the file's extension
-	 * php_tag_in_content Do not allow <?php tag in content
-	 * shorttag_in_content Do not allow short tag <? in content
-	 * shorttag_extensions Which file extensions to scan for short tags in content
-	 * fobidden_ext_in_content Do not allow forbidden_extensions anywhere in content
-	 * php_ext_content_extensions Which file extensions to scan for .php in content
+	 *
+	 * null_byte                   Prevent files with a null byte in their name (buffer overflow attack)
+	 * forbidden_extensions        Do not allow these strings anywhere in the file's extension
+	 * php_tag_in_content          Do not allow <?php tag in content
+	 * shorttag_in_content         Do not allow short tag <? in content
+	 * shorttag_extensions         Which file extensions to scan for short tags in content
+	 * fobidden_ext_in_content     Do not allow forbidden_extensions anywhere in content
+	 * php_ext_content_extensions  Which file extensions to scan for .php in content
 	 *
 	 * This code is an adaptation and improvement of Admin Tools' UploadShield feature,
 	 * relicensed and contributed by its author.

From 69d86cf14bdf036ec6c761b66257546ef8cc0c5b Mon Sep 17 00:00:00 2001
From: "Nicholas K. Dionysopoulos" <nicholas@akeebabackup.com>
Date: Wed, 25 Feb 2015 18:18:44 +0200
Subject: [PATCH 2/3] JInputFiles::get needs to be passed filter type 'raw' to
 return "unsafe" files.

Plus: fixed a typo in a comment.
---
 administrator/components/com_installer/models/install.php | 3 ++-
 libraries/joomla/input/files.php                          | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/administrator/components/com_installer/models/install.php b/administrator/components/com_installer/models/install.php
index f7493b53ffadc..3f9c7b14aa51b 100644
--- a/administrator/components/com_installer/models/install.php
+++ b/administrator/components/com_installer/models/install.php
@@ -201,7 +201,8 @@ protected function _getPackageFromUpload()
 	{
 		// Get the uploaded file information.
 		$input    = JFactory::getApplication()->input;
-		$userfile = $input->files->get('install_package', null, 'array');
+		// Do not change the filter type 'raw'. We need this to let files containing PHP code to upload. See JInputFiles::get.
+		$userfile = $input->files->get('install_package', null, 'raw');
 
 		// Make sure that file uploads are enabled in php.
 		if (!(bool) ini_get('file_uploads'))
diff --git a/libraries/joomla/input/files.php b/libraries/joomla/input/files.php
index 37fee94834e39..23aeceffd8c3f 100644
--- a/libraries/joomla/input/files.php
+++ b/libraries/joomla/input/files.php
@@ -76,7 +76,7 @@ public function get($name, $default = null, $filter = 'cmd')
 	{
 		if (isset($this->data[$name]))
 		{
-			// Prevent returning an unsafe file unless speciffically requested
+			// Prevent returning an unsafe file unless specifically requested
 			if (!$this->data[$name]['safe'])
 			{
 				if ($filter != 'raw')

From 93ebe41bffeb1a31c91aa0e447d9e251d6c50356 Mon Sep 17 00:00:00 2001
From: "Nicholas K. Dionysopoulos" <nicholas@akeebabackup.com>
Date: Thu, 26 Feb 2015 09:33:35 +0200
Subject: [PATCH 3/3] Last commit missed a line. Whoops!

---
 libraries/joomla/filesystem/file.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/joomla/filesystem/file.php b/libraries/joomla/filesystem/file.php
index 3c82e33cf02ad..cc14b9c69109d 100644
--- a/libraries/joomla/filesystem/file.php
+++ b/libraries/joomla/filesystem/file.php
@@ -462,7 +462,7 @@ public static function upload($src, $dest, $use_streams = false, $allow_unsafe =
 				'size'     => '',
 			);
 
-			$isSafe = JFilterInput::isSafeFile($descriptor);
+			$isSafe = JFilterInput::isSafeFile($descriptor, $safeFileOptions);
 
 			if (!$isSafe)
 			{