[ticket/12009] Prevent user from enabling invalid extension through direct URL

PHPBB3-12009

phpBB/includes/acp/acp_extensions.php

@@ -88,6 +88,11 @@ class acp_extensions
 			break;
 
 			case 'enable_pre':
+				if (!$md_manager->validate_dir())
+				{
+					trigger_error($user->lang['EXTENSION_DIR_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$md_manager->validate_enable())
 				{
 					trigger_error($user->lang['EXTENSION_NOT_AVAILABLE'] . adm_back_link($this->u_action), E_USER_WARNING);
@@ -108,6 +113,11 @@ class acp_extensions
 			break;
 
 			case 'enable':
+				if (!$md_manager->validate_dir())
+				{
+					trigger_error($user->lang['EXTENSION_DIR_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
+				}
+
 				if (!$md_manager->validate_enable())
 				{
 					trigger_error($user->lang['EXTENSION_NOT_AVAILABLE'] . adm_back_link($this->u_action), E_USER_WARNING);

phpBB/language/en/acp/extensions.php

@@ -41,6 +41,7 @@ $lang = array_merge($lang, array(
 	'EXTENSIONS_EXPLAIN'		=> 'The Extensions Manager is a tool in your phpBB Board which allows you to manage all of your extensions statuses and view information about them.',
 	'EXTENSION_INVALID_LIST'	=> 'The “%s” extension is not valid.<br />%s<br /><br />',
 	'EXTENSION_NOT_AVAILABLE'	=> 'The selected extension is not available for this board, please verify your phpBB and PHP versions are allowed (see the details page).',
+	'EXTENSION_DIR_INVALID'		=> 'The selected extension has an invalid directory structure and cannot be enabled.',
 
 	'DETAILS'				=> 'Details',
 

phpBB/phpbb/extension/metadata_manager.php

@@ -266,8 +266,8 @@ class metadata_manager
 	 */
 	public function validate_enable()
 	{
-		// Check for phpBB, PHP versions
-		if (!$this->validate_require_phpbb() || !$this->validate_require_php())
+		// Check for valid directory & phpBB, PHP versions
+		if (!$this->validate_dir() || !$this->validate_require_phpbb() || !$this->validate_require_php())
 		{
 			return false;
 		}
@@ -275,6 +275,16 @@ class metadata_manager
 		return true;
 	}
 
+	/**
+	 * Validates the most basic directory structure to ensure it follows <vendor>/<ext> convention.
+	 *
+	 * @return boolean True when passes validation
+	 */
+	public function validate_dir()
+	{
+		return (substr_count($this->ext_name, '/') === 1 && $this->ext_name == $this->get_metadata('name'));
+	}
+
 
 	/**
 	 * Validates the contents of the phpbb requirement field

tests/extension/ext/barfoo/composer.json

@@ -0,0 +1,22 @@
+{
+	"name": "vendor/barfoo",
+	"type": "phpbb-extension",
+	"description": "An example/sample extension to be used for testing purposes in phpBB Development.",
+	"version": "1.0.0",
+	"time": "2012-02-15 01:01:01",
+	"licence": "GNU GPL v2",
+	"authors": [{
+			"name": "John Smith",
+			"username": "JohnSmith27",
+			"email": "email@phpbb.com",
+			"homepage": "http://phpbb.com",
+			"role": "N/A"
+		}],
+	"require": {
+		"php": ">=5.3",
+		"phpbb/phpbb": "3.1.*@dev"
+	},
+	"extra": {
+		"display-name": "phpBB BarFoo Extension"
+	}
+}

tests/extension/ext/barfoo/ext.php

@@ -1,6 +1,6 @@
 <?php
 
-namespace barfoo;
+namespace vendor\barfoo;
 
 class ext extends \phpbb\extension\base
 {

tests/functional/extension_acp_test.php

@@ -219,5 +219,9 @@ class phpbb_functional_extension_acp_test extends phpbb_functional_test_case
 		$form = $crawler->selectButton('delete_data')->form();
 		$crawler = self::submit($form);
 		$this->assertContainsLang('EXTENSION_DELETE_DATA_SUCCESS', $crawler->filter('.successbox')->text());
+
+		// Attempt to enable invalid extension
+		$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=enable_pre&ext_name=barfoo&sid=' . $this->sid);
+		$this->assertContainsLang('EXTENSION_DIR_INVALID', $crawler->filter('.errorbox')->text());
 	}
 }