[TASK] Use secure deserialization in extension manager
[Packages/TYPO3.CMS.git] / typo3 / sysext / extensionmanager / Classes / Utility / Connection / TerUtility.php
1 <?php
2 namespace TYPO3\CMS\Extensionmanager\Utility\Connection;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
18 use TYPO3\CMS\Core\Core\Environment;
19 use TYPO3\CMS\Core\Utility\GeneralUtility;
20 use TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException;
21
22 /**
23 * TER2 connection handling class for the TYPO3 Extension Manager.
24 *
25 * It contains methods for downloading and uploading extensions and related code
26 */
27 class TerUtility
28 {
29 /**
30 * @var string
31 */
32 public $wsdlUrl;
33
34 /**
35 * Fetches an extension from the given mirror
36 *
37 * @param string $extensionKey Extension Key
38 * @param string $version Version to install
39 * @param string $expectedMd5 Expected MD5 hash of extension file
40 * @param string $mirrorUrl URL of mirror to use
41 * @throws ExtensionManagerException
42 * @return array T3X data
43 */
44 public function fetchExtension($extensionKey, $version, $expectedMd5, $mirrorUrl)
45 {
46 if (
47 (bool)GeneralUtility::makeInstance(ExtensionConfiguration::class)->get('extensionmanager', 'offlineMode')
48 || Environment::isComposerMode()
49 ) {
50 throw new ExtensionManagerException('Extension Manager is in offline mode. No TER connection available.', 1437078620);
51 }
52 $extensionPath = strtolower($extensionKey);
53 $mirrorUrl .= $extensionPath[0] . '/' . $extensionPath[1] . '/' . $extensionPath . '_' . $version . '.t3x';
54 $t3x = \TYPO3\CMS\Core\Utility\GeneralUtility::getUrl($mirrorUrl);
55 $md5 = md5($t3x);
56 if ($t3x === false) {
57 throw new ExtensionManagerException(sprintf('The T3X file "%s" could not be fetched. Possible reasons: network problems, allow_url_fopen is off, cURL is not enabled in Install Tool.', $mirrorUrl), 1334426097);
58 }
59 if ($md5 === $expectedMd5) {
60 // Fetch and return:
61 $extensionData = $this->decodeExchangeData($t3x);
62 } else {
63 throw new ExtensionManagerException('Error: MD5 hash of downloaded file not as expected: ' . $md5 . ' != ' . $expectedMd5, 1334426098);
64 }
65 return $extensionData;
66 }
67
68 /**
69 * Decode server data
70 * This is information like the extension list, extension
71 * information etc., return data after uploads (new em_conf)
72 * On success, returns an array with data array and stats
73 * array as key 0 and 1.
74 *
75 * @param string $externalData Data stream from remove server
76 * @throws ExtensionManagerException
77 * @return array $externalData
78 * @see fetchServerData(), processRepositoryReturnData()
79 */
80 public function decodeServerData($externalData)
81 {
82 $parts = explode(':', $externalData, 4);
83 $dat = base64_decode($parts[2]);
84 gzuncompress($dat);
85 // compare hashes ignoring any leading whitespace. See bug #0000365.
86 if (ltrim($parts[0]) == md5($dat)) {
87 if ($parts[1] === 'gzcompress') {
88 if (function_exists('gzuncompress')) {
89 $dat = gzuncompress($dat);
90 } else {
91 throw new ExtensionManagerException('Decoding Error: No decompressor available for compressed content. gzuncompress() function is not available!', 1342859463);
92 }
93 }
94 $listArr = unserialize($dat, ['allowed_classes' => false]);
95 if (!is_array($listArr)) {
96 throw new ExtensionManagerException('Error: Unserialized information was not an array - strange!', 1342859489);
97 }
98 } else {
99 throw new ExtensionManagerException('Error: MD5 hashes in T3X data did not match!', 1342859505);
100 }
101 return $listArr;
102 }
103
104 /**
105 * Decodes extension upload array.
106 * This kind of data is when an extension is uploaded to TER
107 *
108 * @param string $stream Data stream
109 * @throws ExtensionManagerException
110 * @return array Array with result on success, otherwise an error string.
111 */
112 public function decodeExchangeData($stream)
113 {
114 $parts = explode(':', $stream, 3);
115 if ($parts[1] === 'gzcompress') {
116 if (function_exists('gzuncompress')) {
117 $parts[2] = gzuncompress($parts[2]);
118 } else {
119 throw new ExtensionManagerException('Decoding Error: No decompressor available for compressed content. gzcompress()/gzuncompress() ' . 'functions are not available!', 1344761814);
120 }
121 }
122 if (md5($parts[2]) === $parts[0]) {
123 $output = unserialize($parts[2], ['allowed_classes' => false]);
124 if (!is_array($output)) {
125 throw new ExtensionManagerException('Error: Content could not be unserialized to an array. Strange (since MD5 hashes match!)', 1344761938);
126 }
127 } else {
128 throw new ExtensionManagerException('Error: MD5 mismatch. Maybe the extension file was downloaded and saved as a text file by the ' . 'browser and thereby corrupted!? (Always select "All" filetype when saving extensions)', 1344761991);
129 }
130 return $output;
131 }
132 }