if (!$upload->confirm_upload() || strtolower(pathinfo($upload->get_stored_file_name(), PATHINFO_EXTENSION)) != 'zip' || !$upload->final_move($upload->get_stored_file_name())) { unlinkTempFiles(); sugar_die("Invalid Package"); } else { $tempFile = "upload://" . $upload->get_stored_file_name(); $perform = true; $base_filename = urldecode($_REQUEST['upgrade_zip_escaped']); } } } if ($perform) { $manifest_file = extractManifest($tempFile); if (is_file($manifest_file)) { //SCAN THE MANIFEST FILE TO MAKE SURE NO COPIES OR ANYTHING ARE HAPPENING IN IT $ms = new ModuleScanner(); $fileIssues = $ms->scanFile($manifest_file); if (!empty($fileIssues)) { echo '<h2>' . $mod_strings['ML_MANIFEST_ISSUE'] . '</h2><br>'; $ms->displayIssues(); die; } require_once $manifest_file; validate_manifest($manifest); $upgrade_zip_type = $manifest['type']; // exclude the bad permutations if ($view == "module") { if ($upgrade_zip_type != "module" && $upgrade_zip_type != "theme" && $upgrade_zip_type != "langpack") { unlinkTempFiles(); die($mod_strings['ERR_UW_NOT_ACCEPTIBLE_TYPE']); } } elseif ($view == "default") {
public function testCallMethodDoubleColonFail() { $fileModContents = <<<EOQ <?PHP //doesnt matter what the class name is, what matters is use of the banned method, setlevel \t\$GlobalLoggerClass::setLevel(); ?> EOQ; file_put_contents($this->fileLoc, $fileModContents); $ms = new ModuleScanner(); $errors = $ms->scanFile($this->fileLoc); $this->assertNotEmpty($errors, 'There should have been an error caught for use of "::setLevel()'); }
public function testCallUserFunctionFail() { $fileModContents = <<<EOQ <?PHP \tcall_user_func("sugar_file_put_contents", "test2.php", "test"); ?> EOQ; file_put_contents($this->fileLoc, $fileModContents); $ms = new ModuleScanner(); $errors = $ms->scanFile($this->fileLoc); $this->assertTrue(!empty($errors)); }