From b40b05453406dfa8eb8448e90ec786bd29545b82 Mon Sep 17 00:00:00 2001 From: zero-24 Date: Wed, 20 Jan 2021 00:06:22 +0100 Subject: [PATCH 1/5] Make sure we only allow http and https as input for the url installer --- .../components/com_installer/models/install.php | 8 ++++++++ .../language/en-GB/en-GB.com_installer.ini | 1 + .../en-GB/en-GB.plg_installer_urlinstaller.ini | 1 - plugins/installer/urlinstaller/tmpl/default.php | 13 +++---------- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/administrator/components/com_installer/models/install.php b/administrator/components/com_installer/models/install.php index 78f098886f1c5..8300767f51bee 100644 --- a/administrator/components/com_installer/models/install.php +++ b/administrator/components/com_installer/models/install.php @@ -385,6 +385,14 @@ protected function _getPackageFromUrl() return false; } + // We only allow http & https here + $uri = new Uri($url); + + if (in_array($uri->getScheme(), ['http', 'https'])) + { + JError::raiseWarning('', JText::_('COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA')); + } + // Handle updater XML file case: if (preg_match('/\.xml\s*$/', $url)) { diff --git a/administrator/language/en-GB/en-GB.com_installer.ini b/administrator/language/en-GB/en-GB.com_installer.ini index 20fc336d84e23..7a3e3b50730cd 100644 --- a/administrator/language/en-GB/en-GB.com_installer.ini +++ b/administrator/language/en-GB/en-GB.com_installer.ini @@ -123,6 +123,7 @@ COM_INSTALLER_MSG_DISCOVER_PURGEDDISCOVEREDEXTENSIONS="Cleared discovered extens COM_INSTALLER_MSG_ERROR_CANT_CONNECT_TO_UPDATESERVER="Can't connect to %s" COM_INSTALLER_MSG_INSTALL_ENTER_A_URL="Please enter a URL" COM_INSTALLER_MSG_INSTALL_INVALID_URL="Invalid URL" +COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA="Please enter a valid URL starting with http or https" COM_INSTALLER_MSG_INSTALL_NO_FILE_SELECTED="No file selected." COM_INSTALLER_MSG_INSTALL_PATH_DOES_NOT_HAVE_A_VALID_PACKAGE="Path does not have a valid package." COM_INSTALLER_MSG_INSTALL_PLEASE_ENTER_A_PACKAGE_DIRECTORY="Please enter a package folder." diff --git a/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini b/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini index 0ef8437c7d8f4..40264f3d317c9 100644 --- a/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini +++ b/administrator/language/en-GB/en-GB.plg_installer_urlinstaller.ini @@ -5,6 +5,5 @@ PLG_INSTALLER_URLINSTALLER_BUTTON="Check and Install" PLG_INSTALLER_URLINSTALLER_INSTALLER_URLFOLDERINSTALLER="Installer - Install from URL." -PLG_INSTALLER_URLINSTALLER_NO_URL="Please enter a URL." PLG_INSTALLER_URLINSTALLER_PLUGIN_XML_DESCRIPTION="This plugin allows you to install packages from a URL." PLG_INSTALLER_URLINSTALLER_TEXT="Install from URL" diff --git a/plugins/installer/urlinstaller/tmpl/default.php b/plugins/installer/urlinstaller/tmpl/default.php index 2812302b81b4d..053f6799f37df 100644 --- a/plugins/installer/urlinstaller/tmpl/default.php +++ b/plugins/installer/urlinstaller/tmpl/default.php @@ -16,16 +16,9 @@ { var form = document.getElementById("adminForm"); - // do field validation - if (form.install_url.value == "" || form.install_url.value == "http://" || form.install_url.value == "https://") { - alert("' . JText::_('PLG_INSTALLER_URLINSTALLER_NO_URL', true) . '"); - } - else - { - JoomlaInstaller.showLoading(); - form.installtype.value = "url" - form.submit(); - } + JoomlaInstaller.showLoading(); + form.installtype.value = "url" + form.submit(); }; '); ?> From 1005d89528c2c55a0977f0910f50bcb99e52ca36 Mon Sep 17 00:00:00 2001 From: zero-24 Date: Wed, 20 Jan 2021 00:12:08 +0100 Subject: [PATCH 2/5] fix hcekc; exit and use JUri over Uri --- administrator/components/com_installer/models/install.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/administrator/components/com_installer/models/install.php b/administrator/components/com_installer/models/install.php index 8300767f51bee..05ff72b5f0305 100644 --- a/administrator/components/com_installer/models/install.php +++ b/administrator/components/com_installer/models/install.php @@ -386,11 +386,13 @@ protected function _getPackageFromUrl() } // We only allow http & https here - $uri = new Uri($url); + $uri = new JUri($url); - if (in_array($uri->getScheme(), ['http', 'https'])) + if (!in_array($uri->getScheme(), ['http', 'https'])) { JError::raiseWarning('', JText::_('COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA')); + + return false; } // Handle updater XML file case: From eae250f4040b68825a2cc1982915a4e1ddfb6342 Mon Sep 17 00:00:00 2001 From: Tobias Zulauf Date: Wed, 20 Jan 2021 00:22:28 +0100 Subject: [PATCH 3/5] Update administrator/language/en-GB/en-GB.com_installer.ini Co-authored-by: Brian Teeman --- administrator/language/en-GB/en-GB.com_installer.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_installer.ini b/administrator/language/en-GB/en-GB.com_installer.ini index 7a3e3b50730cd..e9dd54f946970 100644 --- a/administrator/language/en-GB/en-GB.com_installer.ini +++ b/administrator/language/en-GB/en-GB.com_installer.ini @@ -123,7 +123,7 @@ COM_INSTALLER_MSG_DISCOVER_PURGEDDISCOVEREDEXTENSIONS="Cleared discovered extens COM_INSTALLER_MSG_ERROR_CANT_CONNECT_TO_UPDATESERVER="Can't connect to %s" COM_INSTALLER_MSG_INSTALL_ENTER_A_URL="Please enter a URL" COM_INSTALLER_MSG_INSTALL_INVALID_URL="Invalid URL" -COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA="Please enter a valid URL starting with http or https" +COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA="Please enter a valid URL starting with http or https." COM_INSTALLER_MSG_INSTALL_NO_FILE_SELECTED="No file selected." COM_INSTALLER_MSG_INSTALL_PATH_DOES_NOT_HAVE_A_VALID_PACKAGE="Path does not have a valid package." COM_INSTALLER_MSG_INSTALL_PLEASE_ENTER_A_PACKAGE_DIRECTORY="Please enter a package folder." From 15568055e504136d1dd40a3fee887ce286b472f5 Mon Sep 17 00:00:00 2001 From: Tobias Zulauf Date: Thu, 21 Jan 2021 20:59:52 +0100 Subject: [PATCH 4/5] Update administrator/language/en-GB/en-GB.com_installer.ini --- administrator/language/en-GB/en-GB.com_installer.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/en-GB.com_installer.ini b/administrator/language/en-GB/en-GB.com_installer.ini index e9dd54f946970..43d0df5169426 100644 --- a/administrator/language/en-GB/en-GB.com_installer.ini +++ b/administrator/language/en-GB/en-GB.com_installer.ini @@ -123,7 +123,7 @@ COM_INSTALLER_MSG_DISCOVER_PURGEDDISCOVEREDEXTENSIONS="Cleared discovered extens COM_INSTALLER_MSG_ERROR_CANT_CONNECT_TO_UPDATESERVER="Can't connect to %s" COM_INSTALLER_MSG_INSTALL_ENTER_A_URL="Please enter a URL" COM_INSTALLER_MSG_INSTALL_INVALID_URL="Invalid URL" -COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA="Please enter a valid URL starting with http or https." +COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEME="Please enter a valid URL starting with http or https." COM_INSTALLER_MSG_INSTALL_NO_FILE_SELECTED="No file selected." COM_INSTALLER_MSG_INSTALL_PATH_DOES_NOT_HAVE_A_VALID_PACKAGE="Path does not have a valid package." COM_INSTALLER_MSG_INSTALL_PLEASE_ENTER_A_PACKAGE_DIRECTORY="Please enter a package folder." From e393a65ca6e84ef8ba250bd28ecc3b60a4502dee Mon Sep 17 00:00:00 2001 From: Tobias Zulauf Date: Thu, 21 Jan 2021 21:00:11 +0100 Subject: [PATCH 5/5] Update administrator/components/com_installer/models/install.php --- administrator/components/com_installer/models/install.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/components/com_installer/models/install.php b/administrator/components/com_installer/models/install.php index 05ff72b5f0305..d3eaa3a76f1e2 100644 --- a/administrator/components/com_installer/models/install.php +++ b/administrator/components/com_installer/models/install.php @@ -390,7 +390,7 @@ protected function _getPackageFromUrl() if (!in_array($uri->getScheme(), ['http', 'https'])) { - JError::raiseWarning('', JText::_('COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEMA')); + JError::raiseWarning('', JText::_('COM_INSTALLER_MSG_INSTALL_INVALID_URL_SCHEME')); return false; }