From 76fcf777991efdce6b09dbd4f0ef9c07b1af59af Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Wed, 31 Mar 2021 15:26:13 +1100 Subject: [PATCH 1/4] Bump gateway protocol to 1.2 --- modules/system/classes/UpdateManager.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/system/classes/UpdateManager.php b/modules/system/classes/UpdateManager.php index 929683dce..da91e3d37 100644 --- a/modules/system/classes/UpdateManager.php +++ b/modules/system/classes/UpdateManager.php @@ -613,8 +613,9 @@ class UpdateManager { $fileCode = $name . $hash; $filePath = $this->getFilePath($fileCode); + $innerPath = str_replace('.', '/', strtolower($name)); - if (!Zip::extract($filePath, plugins_path())) { + if (!Zip::extract($filePath, plugins_path($innerPath))) { throw new ApplicationException(Lang::get('system::lang.zip.extract_failed', ['file' => $filePath])); } @@ -655,8 +656,9 @@ class UpdateManager { $fileCode = $name . $hash; $filePath = $this->getFilePath($fileCode); + $innerPath = str_replace('.', '-', strtolower($name)); - if (!Zip::extract($filePath, themes_path())) { + if (!Zip::extract($filePath, themes_path($innerPath))) { throw new ApplicationException(Lang::get('system::lang.zip.extract_failed', ['file' => $filePath])); } @@ -958,7 +960,7 @@ class UpdateManager */ protected function applyHttpAttributes($http, $postData) { - $postData['protocol_version'] = '1.1'; + $postData['protocol_version'] = '1.2'; $postData['client'] = 'october'; $postData['server'] = base64_encode(serialize([ From 458cfe7595595532047821485f8b72a69857437e Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Sat, 3 Apr 2021 10:37:15 +1100 Subject: [PATCH 2/4] Handle redirects in file downloader --- modules/system/classes/UpdateManager.php | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/system/classes/UpdateManager.php b/modules/system/classes/UpdateManager.php index da91e3d37..5cf932c1d 100644 --- a/modules/system/classes/UpdateManager.php +++ b/modules/system/classes/UpdateManager.php @@ -905,13 +905,16 @@ class UpdateManager $http->toFile($filePath); }); - if ($result->code != 200) { - throw new ApplicationException(File::get($filePath)); + if (in_array($result->code, [301, 302])) { + if ($redirectUrl = array_get($result->info, 'redirect_url')) { + $result = Http::get($redirectUrl, function ($http) use ($postData, $filePath) { + $http->toFile($filePath); + }); + } } - if (md5_file($filePath) != $expectedHash) { - @unlink($filePath); - throw new ApplicationException(Lang::get('system::lang.server.file_corrupt')); + if ($result->code != 200) { + throw new ApplicationException(File::get($filePath)); } } @@ -944,7 +947,7 @@ class UpdateManager */ protected function createServerUrl($uri) { - $gateway = Config::get('cms.updateServer', 'http://gateway.octobercms.com/api'); + $gateway = Config::get('cms.updateServer', 'https://gateway.octobercms.com/api'); if (substr($gateway, -1) != '/') { $gateway .= '/'; } From 53c7be13659419c50788e7816c2b90bd370f79b3 Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Tue, 13 Apr 2021 10:06:16 +1000 Subject: [PATCH 3/4] Backwards compat --- modules/system/classes/VersionManager.php | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/modules/system/classes/VersionManager.php b/modules/system/classes/VersionManager.php index 696e567be..7b979f460 100644 --- a/modules/system/classes/VersionManager.php +++ b/modules/system/classes/VersionManager.php @@ -120,6 +120,8 @@ class VersionManager */ protected function applyPluginUpdate($code, $version, $details) { + $version = $this->normalizeVersion($version); + list($comments, $scripts) = $this->extractScriptsAndComments($details); /* @@ -285,13 +287,18 @@ class VersionManager $versionInfo = []; } - if ($versionInfo) { - uksort($versionInfo, function ($a, $b) { - return version_compare($a, $b); - }); + // Sort result + uksort($versionInfo, function ($a, $b) { + return version_compare($a, $b); + }); + + $result = []; + + foreach ($versionInfo as $version => $info) { + $result[$this->normalizeVersion($version)] = $info; } - return $this->fileVersions[$code] = $versionInfo; + return $this->fileVersions[$code] = $result; } /** @@ -520,6 +527,11 @@ class VersionManager return $this; } + protected function normalizeVersion($version) + { + return ltrim((string) $version, 'v'); + } + /** * Extract script and comments from version details * @return array From 552b52c759d2518879b4a594d706ae1b61897535 Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Wed, 14 Apr 2021 10:20:50 +1000 Subject: [PATCH 4/4] Backport API security --- modules/system/classes/UpdateManager.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/system/classes/UpdateManager.php b/modules/system/classes/UpdateManager.php index 5cf932c1d..537522564 100644 --- a/modules/system/classes/UpdateManager.php +++ b/modules/system/classes/UpdateManager.php @@ -237,8 +237,8 @@ class UpdateManager $params = [ 'core' => $this->getHash(), - 'plugins' => serialize($versions), - 'themes' => serialize($themes), + 'plugins' => base64_encode(json_encode($versions)), + 'themes' => base64_encode(json_encode($themes)), 'build' => $build, 'force' => $force ]; @@ -966,7 +966,7 @@ class UpdateManager $postData['protocol_version'] = '1.2'; $postData['client'] = 'october'; - $postData['server'] = base64_encode(serialize([ + $postData['server'] = base64_encode(json_encode([ 'php' => PHP_VERSION, 'url' => Url::to('/'), 'since' => PluginVersion::orderBy('created_at')->value('created_at')