[TASK] use include for checking update scripts 78/39478/2
authorJigal van Hemert <jigal.van.hemert@typo3.org>
Mon, 11 May 2015 21:18:32 +0000 (23:18 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Tue, 12 May 2015 08:37:43 +0000 (10:37 +0200)
Instead of using eval() the EM includes temporary files with the
modified contents of class.ext_update.php to check if the update
script can be called.

Resolves: #66740
Releases: 6.2, master
Change-Id: I9495d97ad78f2bb100c306ae122aacee6f32b24a
Reviewed-on: http://review.typo3.org/39478
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/extensionmanager/Classes/Utility/UpdateScriptUtility.php

index 4cfa458..ffcbdc9 100644 (file)
@@ -99,16 +99,17 @@ class UpdateScriptUtility {
                        // check if it has a namespace
                        if (!preg_match('/<\?php.*namespace\s+([^;]+);.*class/is', $scriptSourceCode, $matches)) {
                                // if no, rename the class with a unique name
-                               $className = uniqid('ext_update');
-                               $scriptSourceCode = preg_replace('/^\s*class\s+ext_update\s+/m', 'class ' . $className . ' ', $scriptSourceCode);
+                               $className = 'ext_update' . md5($extensionKey . $scriptSourceCode);
+                               $temporaryFileName = PATH_site . 'typo3temp/ExtensionManager/UpdateScripts/' . $className . '.php';
+                               if (!file_exists(GeneralUtility::getFileAbsFileName($temporaryFileName))) {
+                                       $scriptSourceCode = preg_replace('/^\s*class\s+ext_update\s+/m', 'class ' . $className . ' ', $scriptSourceCode);
+                                       GeneralUtility::writeFileToTypo3tempDir($temporaryFileName, $scriptSourceCode);
+                               }
+                               $updateScript = $temporaryFileName;
                        } else {
                                $className = $matches[1] . '\ext_update';
                        }
-                       // load class and call access function
-                       if (!preg_match('/\?>$/is', $scriptSourceCode)) {
-                               $scriptSourceCode .= '?>';
-                       }
-                       eval('?>' . $scriptSourceCode . '<?php ');
+                       @include_once $updateScript;
                        if (!class_exists($className)) {
                                throw new \TYPO3\CMS\Extensionmanager\Exception\ExtensionManagerException(
                                        sprintf('class.ext_update.php of extension "%s" did not declare ext_update class', $extensionKey),