plugininstall.php 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. <?php
  2. // This file is part of GNU social - https://www.gnu.org/software/social
  3. //
  4. // GNU social is free software: you can redistribute it and/or modify
  5. // it under the terms of the GNU Affero General Public License as published by
  6. // the Free Software Foundation, either version 3 of the License, or
  7. // (at your option) any later version.
  8. //
  9. // GNU social is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. // GNU Affero General Public License for more details.
  13. //
  14. // You should have received a copy of the GNU Affero General Public License
  15. // along with GNU social. If not, see <http://www.gnu.org/licenses/>.
  16. defined('STATUSNET') || die();
  17. require_once INSTALLDIR . '/lib/util/deletetree.php';
  18. /**
  19. * Plugin install action.
  20. *
  21. * Uploads a third party plugin to the right directories.
  22. *
  23. * Takes parameters:
  24. *
  25. * - pluginfile: plugin file
  26. * - token: session token to prevent CSRF attacks
  27. * - ajax: bool; whether to return Ajax or full-browser results
  28. *
  29. * Only works if the current user is logged in.
  30. *
  31. * @category Action
  32. * @package GNUsocial
  33. * @author Diogo Cordeiro <diogo@fc.up.pt>
  34. * @copyright 2019 Free Software Foundation, Inc http://www.fsf.org
  35. * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
  36. */
  37. class PlugininstallAction extends Action
  38. {
  39. public $pluginfile = null;
  40. /**
  41. * @param array $args
  42. * @return bool
  43. * @throws ClientException
  44. */
  45. public function prepare(array $args = [])
  46. {
  47. parent::prepare($args);
  48. // @fixme these are pretty common, should a parent class factor these out?
  49. // Only allow POST requests
  50. if ($_SERVER['REQUEST_METHOD'] != 'POST') {
  51. // TRANS: Client error displayed when trying to use another method than POST.
  52. // TRANS: Do not translate POST.
  53. $this->clientError(_('This action only accepts POST requests.'));
  54. }
  55. // CSRF protection
  56. $token = $this->trimmed('token');
  57. if (!$token || $token != common_session_token()) {
  58. // TRANS: Client error displayed when the session token does not match or is not given.
  59. $this->clientError(_m('There was a problem with your session token.'.
  60. ' Try again, please.'));
  61. }
  62. // Only for logged-in users
  63. $this->user = common_current_user();
  64. if (empty($this->user)) {
  65. // TRANS: Error message displayed when trying to perform an action that requires a logged in user.
  66. $this->clientError(_m('Not logged in.'));
  67. }
  68. if (!AdminPanelAction::canAdmin('plugins')) {
  69. // TRANS: Client error displayed when trying to enable or disable a plugin without access rights.
  70. $this->clientError(_m('You cannot administer plugins.'));
  71. }
  72. if (!is_writable(INSTALLDIR . '/local/plugins/') ||
  73. !is_writable(PUBLICDIR . '/local/plugins/')) {
  74. $this->clientError(_m("No permissions to write on the third party plugin upload directory(ies)."));
  75. }
  76. return true;
  77. }
  78. /**
  79. * Only handle if we receive an upload request
  80. *
  81. * @throws ClientException
  82. * @throws NoUploadedMediaException
  83. */
  84. protected function handle()
  85. {
  86. if ($this->trimmed('upload')) {
  87. $this->uploadPlugin();
  88. $url = common_local_url('pluginsadminpanel');
  89. common_redirect($url, 303);
  90. } else {
  91. // TRANS: Unexpected validation error on plugin upload form.
  92. throw new ClientException(_('Unexpected form submission.'));
  93. }
  94. }
  95. /**
  96. * Handle a plugin upload
  97. *
  98. * Does all the magic for handling a plugin upload.
  99. *
  100. * @return void
  101. * @throws ClientException
  102. * @throws NoUploadedMediaException
  103. */
  104. public function uploadPlugin(): void
  105. {
  106. // The existence of the "error" element means PHP has processed it properly even if it was ok.
  107. $form_name = 'pluginfile';
  108. if (!isset($_FILES[$form_name]) || !isset($_FILES[$form_name]['error'])) {
  109. throw new NoUploadedMediaException($form_name);
  110. }
  111. if ($_FILES[$form_name]['error'] != UPLOAD_ERR_OK) {
  112. throw new ClientException(_m('System error uploading file.'));
  113. }
  114. $filename = basename($_FILES[$form_name]['name']);
  115. $ext = null;
  116. if (preg_match('/^.+?\.([A-Za-z0-9]+)$/', $filename, $matches) === 1) {
  117. // we matched on a file extension, so let's see if it means something.
  118. $ext = mb_strtolower($matches[1]);
  119. $plugin_name = basename($filename, '.'.$ext);
  120. $temp_path = INSTALLDIR.DIRECTORY_SEPARATOR.ltrim($_FILES[$form_name]['tmp_name'], '/tmp/').'.'.$ext;
  121. if (!in_array($ext, ['tar', 'zip'])) { // IF not a Phar extension
  122. $ext = null; // Let it throw exception below
  123. }
  124. }
  125. if (is_null($ext)) {
  126. // garbage collect
  127. @unlink($_FILES[$form_name]['tmp_name']);
  128. throw new ClientException(_m('Invalid plugin package extension. Must be either tar or zip.'));
  129. }
  130. move_uploaded_file($_FILES[$form_name]['tmp_name'], $temp_path);
  131. $this->extractPlugin($temp_path, $plugin_name);
  132. }
  133. /**
  134. * Plugin extractor
  135. * The file should have the plugin_name (plus the extension) and inside two directories, the `includes` which will
  136. * be unpacked to local/plugins/:filename and a `public` which will go to public/local/plugins/:filename
  137. *
  138. * @param $temp_path string Current location of the plugin package (either a tarball or a zip archive)
  139. * @param $plugin_name string see uploadPlugin()
  140. * @throws ClientException If anything goes wrong
  141. */
  142. public function extractPlugin($temp_path, $plugin_name): void
  143. {
  144. $phar = new PharData($temp_path);
  145. $dest_installdir = INSTALLDIR . '/local/plugins/'.$plugin_name;
  146. $dest_publicdir = PUBLICDIR . '/local/plugins/'.$plugin_name;
  147. try {
  148. $phar->extractTo($dest_installdir, 'includes', false);
  149. $phar->extractTo($dest_publicdir, 'public', false);
  150. } catch (PharException $e) {
  151. // garbage collect
  152. @unlink($temp_path);
  153. // Rollback
  154. deleteTree($dest_installdir);
  155. deleteTree($dest_publicdir);
  156. // Warn about the failure
  157. throw new ClientException($e->getMessage());
  158. }
  159. foreach ([$dest_installdir.'includes',
  160. $dest_publicdir.'public'] as $source) {
  161. $files = scandir("source");
  162. foreach ($files as $file) {
  163. if (in_array($file, ['.', '..'])) {
  164. continue;
  165. }
  166. rename($source . $file, dirname($source) . $file);
  167. }
  168. }
  169. rmdir($dest_installdir.'includes');
  170. rmdir($dest_publicdir.'public');
  171. // garbage collect
  172. @unlink($temp_path);
  173. }
  174. }