|
|
|
|
@ -47,6 +47,7 @@ class OC_Installer{
|
|
|
|
|
* This function works as follows
|
|
|
|
|
* -# fetching the file
|
|
|
|
|
* -# unzipping it
|
|
|
|
|
* -# check the code
|
|
|
|
|
* -# installing the database at appinfo/database.xml
|
|
|
|
|
* -# including appinfo/install.php
|
|
|
|
|
* -# setting the installed version
|
|
|
|
|
@ -91,6 +92,7 @@ class OC_Installer{
|
|
|
|
|
|
|
|
|
|
//extract the archive in a temporary folder
|
|
|
|
|
$extractDir=OC_Helper::tmpFolder();
|
|
|
|
|
OC_Helper::rmdirr($extractDir);
|
|
|
|
|
mkdir($extractDir);
|
|
|
|
|
if($archive=OC_Archive::open($path)){
|
|
|
|
|
$archive->extract($extractDir);
|
|
|
|
|
@ -102,7 +104,7 @@ class OC_Installer{
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//load the info.xml file of the app
|
|
|
|
|
if(!is_file($extractDir.'/appinfo/info.xml')){
|
|
|
|
|
//try to find it in a subdir
|
|
|
|
|
@ -125,6 +127,12 @@ class OC_Installer{
|
|
|
|
|
}
|
|
|
|
|
$info=OC_App::getAppInfo($extractDir.'/appinfo/info.xml',true);
|
|
|
|
|
$basedir=OC::$APPSROOT.'/apps/'.$info['id'];
|
|
|
|
|
|
|
|
|
|
// check the code for not allowed calls
|
|
|
|
|
if(!OC_Installer::checkCode($info['id'],$extractDir)){
|
|
|
|
|
OC_Helper::rmdirr($extractDir);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//check if an app with the same id is already installed
|
|
|
|
|
if(self::isInstalled( $info['id'] )){
|
|
|
|
|
@ -151,8 +159,8 @@ class OC_Installer{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//copy the app to the correct place
|
|
|
|
|
if(!mkdir($basedir)){
|
|
|
|
|
OC_Log::write('core','Can\'t create app folder ('.$basedir.')',OC_Log::ERROR);
|
|
|
|
|
if(@!mkdir($basedir)){
|
|
|
|
|
OC_Log::write('core','Can\'t create app folder. Please fix permissions. ('.$basedir.')',OC_Log::ERROR);
|
|
|
|
|
OC_Helper::rmdirr($extractDir);
|
|
|
|
|
if($data['source']=='http'){
|
|
|
|
|
unlink($path);
|
|
|
|
|
@ -300,4 +308,49 @@ class OC_Installer{
|
|
|
|
|
OC_Appconfig::setValue($app,'installed_version',OC_App::getAppVersion($app));
|
|
|
|
|
return $info;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* check the code of an app with some static code checks
|
|
|
|
|
* @param string $folder the folder of the app to check
|
|
|
|
|
* @returns true for app is o.k. and false for app is not o.k.
|
|
|
|
|
*/
|
|
|
|
|
public static function checkCode($appname,$folder){
|
|
|
|
|
|
|
|
|
|
$blacklist=array(
|
|
|
|
|
'fopen(',
|
|
|
|
|
'eval('
|
|
|
|
|
// more evil pattern will go here later
|
|
|
|
|
// will will also check if an app is using private api once the public api is in place
|
|
|
|
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// is the code checker enabled?
|
|
|
|
|
if(OC_Config::getValue('appcodechecker', false)){
|
|
|
|
|
|
|
|
|
|
// check if grep is installed
|
|
|
|
|
$grep = exec('which grep');
|
|
|
|
|
if($grep=='') {
|
|
|
|
|
OC_Log::write('core','grep not installed. So checking the code of the app "'.$appname.'" was not possible',OC_Log::ERROR);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// iterate the bad patterns
|
|
|
|
|
foreach($blacklist as $bl) {
|
|
|
|
|
$cmd = 'grep -ri '.escapeshellarg($bl).' '.$folder.'';
|
|
|
|
|
$result = exec($cmd);
|
|
|
|
|
// bad pattern found
|
|
|
|
|
if($result<>'') {
|
|
|
|
|
OC_Log::write('core','App "'.$appname.'" is using a not allowed call "'.$bl.'". Installation refused.',OC_Log::ERROR);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
}else{
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
Frank Karlitschek