Permalink
Browse files

MDL-26035 more detection of invalid plugin dir names

  • Loading branch information...
1 parent 17e0390 commit 3e858ea737739197809013636d0ed942131ffb3e @skodak skodak committed Jan 23, 2011
Showing with 52 additions and 1 deletion.
  1. +52 −1 lib/upgradelib.php
View
@@ -272,13 +272,28 @@ function upgrade_plugins($type, $startcallback, $endcallback, $verbose) {
foreach ($plugs as $plug=>$fullplug) {
$component = $type.'_'.$plug; // standardised plugin name
+ // check plugin dir is valid name
+ $cplug = strtolower($plug);
+ $cplug = clean_param($cplug, PARAM_SAFEDIR);
+ $cplug = str_replace('-', '', $cplug);
+ if ($plug !== $cplug) {
+ throw new plugin_defective_exception($component, 'Invalid plugin directory name.');
+ }
+
if (!is_readable($fullplug.'/version.php')) {
continue;
}
$plugin = new stdClass();
require($fullplug.'/version.php'); // defines $plugin with version etc
+ // if plugin tells us it's full name we may check the location
+ if (isset($plugin->component)) {
+ if ($plugin->component !== $component) {
+ throw new plugin_defective_exception($component, 'Plugin installed in wrong folder.');
+ }
+ }
+
if (empty($plugin->version)) {
throw new plugin_defective_exception($component, 'Missing version value in version.php');
}
@@ -396,19 +411,35 @@ function upgrade_plugins_modules($startcallback, $endcallback, $verbose) {
foreach ($mods as $mod=>$fullmod) {
- if ($mod == 'NEWMODULE') { // Someone has unzipped the template, ignore it
+ if ($mod === 'NEWMODULE') { // Someone has unzipped the template, ignore it
continue;
}
$component = 'mod_'.$mod;
+ // check module dir is valid name
+ $cmod = strtolower($mod);
+ $cmod = clean_param($cmod, PARAM_SAFEDIR);
+ $cmod = str_replace('-', '', $cmod);
+ $cmod = str_replace('_', '', $cmod); // modules MUST not have '_' in name and never will, sorry
+ if ($mod !== $cmod) {
+ throw new plugin_defective_exception($component, 'Invalid plugin directory name.');
+ }
+
if (!is_readable($fullmod.'/version.php')) {
throw new plugin_defective_exception($component, 'Missing version.php');
}
$module = new stdClass();
require($fullmod .'/version.php'); // defines $module with version etc
+ // if plugin tells us it's full name we may check the location
+ if (isset($module->component)) {
+ if ($module->component !== $component) {
+ throw new plugin_defective_exception($component, 'Plugin installed in wrong folder.');
+ }
+ }
+
if (empty($module->version)) {
if (isset($module->version)) {
// Version is empty but is set - it means its value is 0 or ''. Let us skip such module.
@@ -426,6 +457,11 @@ function upgrade_plugins_modules($startcallback, $endcallback, $verbose) {
}
}
+ // all modules must have en lang pack
+ if (!is_readable("$fullmod/lang/en/$mod.php")) {
+ throw new plugin_defective_exception($component, 'Missing mandatory en language pack.');
+ }
+
$module->name = $mod; // The name MUST match the directory
$currmodule = $DB->get_record('modules', array('name'=>$module->name));
@@ -548,6 +584,14 @@ function upgrade_plugins_blocks($startcallback, $endcallback, $verbose) {
$component = 'block_'.$blockname;
+ // check block dir is valid name
+ $cblockname = strtolower($blockname);
+ $cblockname = clean_param($cblockname, PARAM_SAFEDIR);
+ $cblockname = str_replace('-', '', $cblockname);
+ if ($blockname !== $cblockname) {
+ throw new plugin_defective_exception($component, 'Invalid plugin directory name.');
+ }
+
if (!is_readable($fullblock.'/version.php')) {
throw new plugin_defective_exception('block/'.$blockname, 'Missing version.php file.');
}
@@ -557,6 +601,13 @@ function upgrade_plugins_blocks($startcallback, $endcallback, $verbose) {
include($fullblock.'/version.php');
$block = $plugin;
+ // if plugin tells us it's full name we may check the location
+ if (isset($block->component)) {
+ if ($block->component !== $component) {
+ throw new plugin_defective_exception($component, 'Plugin installed in wrong folder.');
+ }
+ }
+
if (!empty($plugin->requires)) {
if ($plugin->requires > $CFG->version) {
throw new upgrade_requires_exception($component, $plugin->version, $CFG->version, $plugin->requires);

0 comments on commit 3e858ea

Please sign in to comment.