[Package Manager] Re-Download missing packages

_build/build.sample.properties

@@ -11,7 +11,7 @@ git.command = git
 #project.name.fs = modx
 
 # Override to set the version and release strings
-#modx.core.version = 2.6.4
+#modx.core.version = 2.6.5
 #modx.core.release = pl
 
 # these properties require a local Git clone in order to produce distributions

_build/build.xml

@@ -11,6 +11,7 @@
     <tstamp />
 
     <!-- Set some common project properties -->
+    <property name="project.name" value="MODX Revolution" />
     <property name="project.name.fs" value="modx" />
     <property name="project.root.dir" value=".." />
     <property name="project.core.dir" value="${project.root.dir}/core" />
@@ -19,7 +20,7 @@
     <property name="project.manager.dir" value="${project.root.dir}/manager" />
 
     <!-- Set the project version -->
-    <property name="modx.core.version" value="2.6.4" />
+    <property name="modx.core.version" value="2.6.5" />
     <property name="modx.core.release" value="pl" />
 
     <!-- Set some common build properties -->
@@ -97,6 +98,7 @@
         <delete file="${core.dir}/packages/core.transport.zip" failonerror="false" />
         <delete dir="${core.dir}/packages/core" failonerror="false" />
         <exec dir="${project.basedir}" command="${php.command} transport.core.php ${transport.image}" />
+        <exec dir="${project.basedir}" command="${php.command} fixzip.php ${core.dir}/packages/core.transport.zip" />
     </target>
 
     <!-- Run the phpdoc generation script -->
@@ -210,6 +212,7 @@
                 <include name="**" />
             </fileset>
         </zip>
+        <exec dir="${project.basedir}" command="${php.command} fixzip.php ${build.distrib.dir}/${distrib.name}.zip" />
         <reflexive file="${build.image.dir}/setup/includes/config.core.php">
             <filterchain>
                 <replacetokens>
@@ -311,6 +314,7 @@
                 <include name="core/packages/core/*/*.resolver" />
             </fileset>
         </zip>
+        <exec dir="${project.basedir}" command="${php.command} fixzip.php ${build.distrib.dir}/${distrib.name}.zip" />
         <reflexive file="${build.image.dir}/setup/includes/config.core.php">
             <filterchain>
                 <replacetokens>
@@ -374,6 +378,7 @@
                 <include name="core/packages/core.transport.zip" />
             </fileset>
         </zip>
+        <exec dir="${project.basedir}" command="${php.command} fixzip.php ${build.distrib.dir}/${distrib.name}.zip" />
         <reflexive file="${build.image.dir}/setup/includes/config.core.php">
             <filterchain>
                 <replacetokens>

_build/fixzip.php

@@ -0,0 +1,26 @@
+<?php
+if (!isset($argv[1])) {
+    echo 'ERROR: No zip file specified.';
+    return 255;
+}
+
+$zipFileName = realpath($argv[1]);
+if (!file_exists($zipFileName) || !is_readable($zipFileName)) {
+    echo 'ERROR: Specified file does not exist or is not readable.';
+    return 255;
+}
+if (!is_writable($zipFileName)) {
+    echo 'ERROR: Specified file is not writable.';
+    return 255;
+}
+
+$zip = new ZipArchive();
+$zip->open($zipFileName);
+
+for ($i = 0; $i < $zip->count(); $i++) {
+    $zip->setExternalAttributesIndex($i, 0, 0);
+}
+
+$zip->close();
+
+return 0;

_build/transport.core.php

@@ -108,7 +108,7 @@
     $cacheManager->deleteTree($packageDirectory . 'core',array(
         'deleteTop' => true,
         'skipDirs' => false,
-        'extensions' => '*',
+        'extensions' => array(),
     ));
 }
 if (!file_exists($packageDirectory . 'core') && !file_exists($packageDirectory . 'core.transport.zip')) {

core/docs/changelog.txt

@@ -2,6 +2,11 @@
 This file shows the changes in recent releases of MODX. The most current release is usually the
 development release, and is only shown to give an idea of what's currently in the pipeline.
 
+MODX Revolution 2.6.5-pl (July 11, 2018)
+====================================
+- Prevent directory traversal and limit files deleted when clearing modFileRegister [#13980]
+- Filter user input used in phpthumb [#13979]
+
 MODX Revolution 2.6.4-pl (June 7, 2018)
 ====================================
 - Fix sorting by access column in Template Access tab of Template Variable edit view [#13893]

core/docs/version.inc.php

@@ -2,7 +2,7 @@
 $v= array ();
 $v['version']= '2'; // Current version.
 $v['major_version']= '6'; // Current major version.
-$v['minor_version']= '4'; // Current minor version.
+$v['minor_version']= '5'; // Current minor version.
 $v['patch_level']= 'pl'; // Current patch level.
 $v['code_name']= 'Revolution'; // Current codename.
 $v['distro']= '@git@';

core/model/modx/modfilehandler.class.php

@@ -632,7 +632,7 @@ public function remove($options = array()) {
         $options = array_merge(array(
             'deleteTop' => true,
             'skipDirs' => false,
-            'extensions' => '',
+            'extensions' => array(),
         ), $options);
 
         $this->fileHandler->modx->getCacheManager();

core/model/modx/registry/modfileregister.class.php

@@ -27,16 +27,21 @@ class modFileRegister extends modRegister {
     /**
      * Construct a new modFileRegister instance.
      *
-     * {@inheritdoc}
+     * @param modX &$modx A reference to a modX instance.
+     * @param string $key A valid PHP variable which will be set on the modRegistry instance.
+     * @param array $options Optional array of registry options.
      */
-    function __construct(& $modx, $key, $options = array()) {
-        parent :: __construct($modx, $key, $options);
+    function __construct(& $modx, $key, $options = array())
+    {
+        parent::__construct($modx, $key, $options);
+
         $modx->getCacheManager();
         $this->directory = $modx->getCachePath() . 'registry/';
         $this->directory .= isset($options['directory'])
-                ? $options['directory']
-                : $key;
-        if ($this->directory[strlen($this->directory)-1] != '/') $this->directory .= '/';
+            ? $options['directory']
+            : $key;
+
+        $this->directory = rtrim($this->directory, '/') . '/';
     }
 
     /**
@@ -57,12 +62,16 @@ public function connect(array $attributes = array()) {
      *
      * {@inheritdoc}
      */
-    public function clear($topic) {
-        $topicDirectory = $this->directory;
-        $topicDirectory.= $topic[0] == '/' ? substr($topic, 1) : $topic ;
-        return $this->modx->cacheManager->deleteTree($topicDirectory, array(
-            'extensions' => '.msg.php'
-        ));
+    public function clear($topic)
+    {
+        $topicDirectory = $this->directory . ltrim($this->sanitizePath($topic), '/');
+
+        return $this->modx->cacheManager->deleteTree(
+            realpath($topicDirectory),
+            array(
+                'extensions' => array('.msg.php')
+            )
+        );
     }
 
     /**
@@ -263,4 +272,14 @@ public function send($topic, $message, array $options = array()) {
     public function close() {
         return true;
     }
+
+    /**
+     * Sanitize the specified path
+     *
+     * @param string $path The path to clean
+     * @return string The sanitized path
+     */
+    protected function sanitizePath($path) {
+        return preg_replace(array("/\.*[\/|\\\]/i", "/[\/|\\\]+/i"), array('/', '/'), $path);
+    }
 }

core/model/modx/transport/modtransportpackage.class.php

@@ -199,9 +199,9 @@ public function getTransport($state = -1) {
                 $packageDir = $workspace->get('path') . 'packages/';
                 $sourceFile = $this->get('source');
                 if ($sourceFile) {
-                    $transferred= file_exists($packageDir . $sourceFile);
+                    $transferred = file_exists($packageDir . $sourceFile);
                     if (!$transferred) { /* if no transport zip, attempt to get it */
-                        if (!$transferred= $this->transferPackage($sourceFile, $packageDir)) {
+                        if (!$transferred = $this->transferPackage($sourceFile, $packageDir)) {
                             $this->xpdo->log(xPDO::LOG_LEVEL_ERROR,$this->xpdo->lexicon('package_err_transfer',array(
                                 'sourceFile' => $sourceFile,
                                 'packageDir' => $packageDir,
@@ -212,9 +212,9 @@ public function getTransport($state = -1) {
                     }
                     if ($transferred) {
                         if ($state < 0) {
-                            /* if directory is missing but zip exists, and DB state value is incorrect, fix here */
+                            /* if directory is missing or empty but zip exists, and DB state value is incorrect, fix here */
                             $targetDir = basename($sourceFile, '.transport.zip');
-                            $state = is_dir($packageDir.$targetDir) ? $this->get('state') : xPDOTransport::STATE_PACKED;
+                            $state = (is_dir($packageDir.$targetDir) && count(glob($packageDir.$targetDir.'/*')) !== 0) ? $this->get('state') : xPDOTransport::STATE_PACKED;
                         }
                         /* retrieve the package */
                         $this->package = xPDOTransport :: retrieve($this->xpdo, $packageDir . $sourceFile, $packageDir, $state);
@@ -236,6 +236,40 @@ public function getTransport($state = -1) {
         return $this->package;
     }
 
+    /**
+     * Get metadata for a package in a more usable format
+     * 
+     * @access public
+     * @param array $metadata optional input array to be processed, defaults to package metadata
+     * @param string $keyfield the inner array element pointing to the value for key substitution
+     * @return array an array of metadata accessible by $keyfield
+     */
+    public function getMetadata($metadata = array(), $keyfield = 'name') {
+        if (empty($metadata)) {
+            $metadata = $this->get('metadata');
+        }
+
+        if (is_array($metadata[0])) {
+            return array_reduce($metadata, function ($result, $item) use ($keyfield) {
+                $key = $item[$keyfield];
+                unset($item[$keyfield]);
+
+                /* recurisvely handle nested arrays, attributes and children */
+                foreach ($item as $k => $v) {
+                    if (is_array($v) && !empty($v)) {
+                        $item[$k] = $this->getMetadata($v);
+                    }
+                }
+
+                $result[$key] = $item;
+
+                return $result;
+            }, array());
+        } else {
+            return $metadata;
+        }
+    }
+
     /**
      * Removes and uninstalls the package.
      *
@@ -357,13 +391,35 @@ public function uninstall(array $options = array()) {
      * @return boolean True if successful.
      */
     public function transferPackage($sourceFile, $targetDir) {
-        $transferred= false;
-        $content= '';
+        $transferred = false;
+        $content = '';
         if (is_dir($targetDir) && is_writable($targetDir)) {
             if (!is_array($this->xpdo->version)) { $this->xpdo->getVersionData(); }
-            $productVersion = $this->xpdo->version['code_name'].'-'.$this->xpdo->version['full_version'];
-
-            $source= $this->get('service_url') . $sourceFile.(strpos($sourceFile,'?') !== false ? '&' : '?').'revolution_version='.$productVersion;
+            $productVersion = join('-', array(
+                $this->xpdo->version['code_name'],
+                $this->xpdo->version['full_version']
+            ));
+
+            /* make sure the package is downloaded, if not attempt re-download */
+            if (strpos($sourceFile, '//') === false && !file_exists($targetDir . $sourceFile)) {
+                /* get the package metadata */
+                $metadata = $this->getMetadata();
+
+                if (!empty($metadata) && ($metadata['location'] || $metadata['file'])) {
+                    /* assign remote download URL */
+                    if ($metadata['location']) {
+                        if (is_array($metadata['location'])) {
+                            $source = $metadata['location']['text'];
+                        } else {
+                            $source = $metadata['location'];
+                        }
+                    } else {
+                        $source = $metadata['file']['children']['location']['text'];
+                    }
+                }
+            } else {
+                $source = $this->get('service_url') . $sourceFile.(strpos($sourceFile,'?') !== false ? '&' : '?').'revolution_version='.$productVersion;
+            }
 
             /* see if user has allow_url_fopen on and is not behind a proxy */
             $proxyHost = $this->xpdo->getOption('proxy_host',null,'');
@@ -417,6 +473,11 @@ public function transferPackage($sourceFile, $targetDir) {
                     }
                 }
                 $content = curl_exec($ch);
+                $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+                if ($status >= 400) {
+                    $content = '';
+                }
                 curl_close($ch);
             }
 
@@ -432,7 +493,7 @@ public function transferPackage($sourceFile, $targetDir) {
                     $transferred= $cacheManager->writeFile($target, $content);
                 }
             } else {
-                $this->xpdo->log(xPDO::LOG_LEVEL_ERROR,'MODX could not download the file. You must enable allow_url_fopen, cURL or fsockopen to use remote transport packaging.');
+                $this->xpdo->log(xPDO::LOG_LEVEL_ERROR, 'MODX could not download the file. ' . (isset($status) ? 'Server responded with status code ' . $status . '.' : 'You must enable allow_url_fopen, cURL or fsockopen to use remote transport packaging.'));
             }
         } else {
             $this->xpdo->log(xPDO::LOG_LEVEL_ERROR,$this->xpdo->lexicon('package_err_target_write',array(
@@ -661,33 +722,45 @@ protected function _getByFsockopen($url) {
         $purl = parse_url($url);
         $host = $purl['host'];
         $path = !empty($purl['path']) ? $purl['path'] : '/';
-        if (!empty($purl['query'])) { $path .= '?'.$purl['query']; }
+        if (!empty($purl['query'])) {
+            $path .= '?' . $purl['query'];
+        }
         $port = !empty($purl['port']) ? $purl['port'] : '80';
 
         $timeout = 10;
         $response = '';
         $fp = @fsockopen($host,$port,$errno,$errstr,$timeout);
 
         if( !$fp ) {
-            $this->xpdo->log(xPDO::LOG_LEVEL_ERROR,'Could not retrieve from '.$url);
+            $this->xpdo->log(xPDO::LOG_LEVEL_ERROR, 'Could not retrieve from ' . $url);
         } else {
-            fwrite($fp, "GET $path ".$_SERVER['SERVER_PROTOCOL']."\r\n" .
-                "Host: $host\r\n" .
-                "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n" .
-                "Accept: */*\r\n" .
-                "Accept-Language: en-us,en;q=0.5\r\n" .
-                "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" .
-                "Keep-Alive: 300\r\n" .
-                "Connection: keep-alive\r\n" .
-                "Referer: http://$host\r\n\r\n");
-
-          while ($line = fread($fp, 4096)) {
-             $response .= $line;
-          }
-          fclose($fp);
-
-          $pos = strpos($response, "\r\n\r\n");
-          $response = substr($response, $pos + 4);
+            $out = implode("\r\n", array(
+                "GET $path " . $_SERVER['SERVER_PROTOCOL'],
+                "Host: $host",
+                "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3",
+                "Accept: */*",
+                "Accept-Language: en-us,en;q=0.5",
+                "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+                "Keep-Alive: 300",
+                "Connection: keep-alive",
+                "Referer: http://$host",
+                "\r\n"
+            ));
+            fwrite($fp, $out);
+
+            $status = explode(' ', fgets($fp, 13))[1];
+
+            if (strpos($status, '4') !== false || strpos($status, '5') !== false) {
+                $response = '';
+            } else {
+                while ($line = fread($fp, 4096)) {
+                    $response .= $line;
+                }
+                $pos = strpos($response, "\r\n\r\n");
+                $response = substr($response, $pos + 4);
+            }
+
+            fclose($fp);
        }
        return $response;
     }