[#41757] - [4.4] Joomla Update Component check package when using Upload & Update
- Fixed in Code Base
- 25 Sep 2023
- Medium
- Build: 4.4-dev
- # 41757
- Diff
- richard67:4.3-dev-joomlaupdate-package-check
- Pending continuous-integration/drone/pr Build is pending Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #38702 .
Replacement for PR #38707 .
Summary of Changes
This pull request (PR) adds checks for the uploaded package to the Joomla Update component when Upload & Update is used.
The checks are executed after the package has been uploaded but before it is unpacked.
Following checks are added:
- Can the package be opened as a ZIP file? If not, it's either not a ZIP file or it's corrupted.
- Does the package contain the "installation/index.php" file? If yes, the user has uploaded a full installation package which shall not be used for updating.
- Does the package contain the "administrator/manifests/files/joomla.xml" file? If not, it's not a valid Joomla update package.
- Can the version be found in the "administrator/manifests/files/joomla.xml" file in the package? If not, it's not a valid Joomla update package.
- Is the version from the "administrator/manifests/files/joomla.xml" file in the package smaller than the current Joomla version? In this case it would be a downgrade, which is not supported.
The first check does not rely on a file name (base name or extension) check of the uploaded package file, so it can't be tricked by renaming that file.
Following checks are not added:
More tests could be added in future, but this would require to have that information inside the update package, e.g. in the "administrator/manifests/files/joomla.xml" file, which currently is not the case. That's why it should be done with future PRs. Such tests could be:
- Does the current PHP version fulfil the minimum required PHP version of the update package's Joomla version?
- Does the currently used database fulfil the minimum required database version of the update package's Joomla version for that database type?
- Does the target platform of the update package's Joomla version fit to the current Joomla version?
Testing Instructions
The following 5 tests have to be executed 3 times:
- Without the patch of this PR applied in order to get the actual result.
- With the patch applied on a server on which the PHP extension "zip" is available to get the expected result.
This is the case on most PHP installations. They come by default with that extension. - With the patch applied on a server on which the PHP extension "zip" is not available to get the expected result.
Case 3 can be simulated by changing the following code in the modified file from this PR:
so that it looks like this:
//if (\extension_loaded('zip')) {
// $this->checkPackageFileZip($userfile['tmp_name']);
//} else {
$this->checkPackageFileNoZip($userfile['tmp_name']);
//}
Hint: The screenshots in the results below have been made when I tested on the 4.3-dev branch before I have rebased this PR to 4.4-dev. Therefore they show different version numbers than a test on 4.4-dev does, but besides that the results are the same.
Test 1: Upload a file which is not a ZIP file
In the Joomla Update Component, go to "Upload & Update" and then use the button to chose a file.
In the file selection dialogue, change the file type filter from ".zip" to "All files (.*)".
Select any file which is not a ZIP file, e.g. an image, a CSS file, whatever comes into your mind, and use the "Open" button to upload the file.
Optionally, try to trap the new check by renaming that file so it has extension ".zip".
Test 2: Upload a full installation package
In the Joomla Update Component, go to "Upload & Update" and then chose a full installation package.
Optionally, try to trap the new check by renaming that package.
Test 3: Upload an update ZIP package for a Joomla version lower than the current Joomla version, i.e. try to downgrade
In the Joomla Update Component, go to "Upload & Update" and then chose an update ZIP package for a Joomla version lower than the current Joomla version.
Optionally, try to trap the new check by renaming that package.
Test 4: Upload a "hacked" update ZIP package which doesn't contain the "administrator/manifests/files/joomla.xml" file
Modify an update ZIP package with which updating should work by removing the "administrator/manifests/files/joomla.xml" file from the ZIP file, e.g. by unpacking the package, removing the file and packing the package again.
Optionally, try to trap the new check by creating a hacked package where that file is not missing but empty, or where it is missing the <version> element.
In the Joomla Update Component, go to "Upload & Update" and then chose the previously modified update ZIP package.
Test 5: Upload a valid update ZIP package which should work
In the Joomla Update Component, go to "Upload & Update" and then chose an update ZIP package with which updating should work, e.g. a current 5.5 nightly build or a 5.5.0-beta2.
Actual result BEFORE applying this Pull Request
Test 1: Upload a file which is not a ZIP file
The Joomla Update Component attempts to unpack the file and this fails. The error message is not really clear, and resuming or restarting the update would not make sense like it would do when it really was a valid file where just the download has been disturbed somehow.
Test 2: Upload a full installation package
The update seems to be successful.
But there might be issues due to the unpacked "installation" folder, e.,g. you might be redirected to the last installation step for adding additional languages, and it has a reason why we remove it when not being in development mode, so that should be inhibited.
Test 3: Upload an update ZIP package for a Joomla version lower than the current Joomla version, i.e. try to downgrade
The downgrade is performed. Depending on which version you downgrade to, your site is completely messed or only messed a bit.
Here the result of a downgrade to a 4.0.0 stable:
Test 4: Upload a "hacked" update ZIP package which doesn't contain the "administrator/manifests/files/joomla.xml" file
The update succeeds, but the "administrator/manifests/files/joomla.xml" file is still the old one from before the update.
Test 5: Upload a valid update ZIP package which should work
The update succeeds.
Expected result AFTER applying this Pull Request
Test 1: Upload a file which is not a ZIP file
No attempt to unpack the file. Clear error message:
Test 2: Upload a full installation package
No attempt to unpack the file. Clear error message:
Test 3: Upload an update ZIP package for a Joomla version lower than the current Joomla version, i.e. try to downgrade
No attempt to unpack the file. Clear error message:
Test 4: Upload a "hacked" update ZIP package which doesn't contain the "administrator/manifests/files/joomla.xml" file
No attempt to unpack the file. Clear error message:
Test 5: Upload a valid update ZIP package which should work
The update succeeds.
Link to documentations
Please select:
-
No documentation changes for docs.joomla.org needed
-
No documentation changes for manual.joomla.org needed
joomla-cms-bot
- | Category | ⇒ | Administration com_joomlaupdate Language & Strings |
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
Language Change
PR-4.3-dev
|
||
| Title |
|
||||||
| Labels |
Added:
bug
|
||
Back to draft. I'm developing an alternative which can be used when the zip extension is not loaded.
@richard67 What do you think about:
- Unpacking the file
libraries/src/Version.phpto tmp; - Rename
namespace Joomla\CMS;tonamespace TestingTestForTestingTheTest;, withstr_replace(); - Include new file;
- And read the version dirrectly
(new TestingTestForTestingTheTest\Version())->getShortVersion();
This should be more reliable than RegExp.
Or probbaly even better, read version from /administrator/manifests/files/joomla.xml
@richard67 What do you think about:
* Unpacking the file `libraries/src/Version.php` to tmp; * Rename `namespace Joomla\CMS;` to `namespace TestingTestForTestingTheTest;`, with `str_replace()`; * Include new file; * And read the version dirrectly `(new TestingTestForTestingTheTest\Version())->getShortVersion()`;This should be more reliable than RegExp. Or probbaly even better, read version from
/administrator/manifests/files/joomla.xml
@Fedik There is still no way to exctract only that one file when using the Archive framework.
There is still no way to exctract one file when using the Archive framework.
Yeah, that still open question ?
But I am fine if you will use what you have already done, maybe with extra check if zip extension is available
There is still no way to exctract one file when using the Archive framework.
Yeah, that still open question ? But I am fine if you will use what you have already done, maybe with extra check if zip extension is available
@Fedik The check if it is available I have already added with my last commit. But I could indeed read the joomla.xml manifest (without unpacking) and use standard xml methods to get the version instead of the regex for the Version.php file.
Ready for review and tests again.
| Title |
|
||||||
Rebased to 4.4-dev as it will not go into a 4.3.5 release.
| Build | 4.3-dev | ⇒ | 4.4-dev |
| Labels |
Added:
PR-4.4-dev
Removed: PR-4.3-dev |
||
I've updated this PR so it works also without the "zip" PHP extension. Will update testing instructions later. Done.
| Title |
|
||||||
| Labels |
Removed:
?
|
||
I tested all possible combinations successfully. Just one question remains. Till now it is possible to upgrade with a full installation package, with this pr then not anymore. Which increment do the upgrade packages contain? Because for me it is unclear now from which version people can then update through manual upload method.
I tested all possible combinations successfully. Just one question remains. Till now it is possible to upgrade with a full installation package, with this pr then not anymore. Which increment do the upgrade packages contain? Because for me it is unclear now from which version people can then update through manual upload method.
@laoneo The update (or upgrade) packages include the complete code minus what is later deleted by the build script, see here: https://github.com/joomla/joomla-cms/blob/4.4-dev/build/build.php#L618-L626 . The smaller patch packages which only contain the changes since the first stable patch version 0 or the smallest which contain onyl changes since the previous patch version we do not build anymore because it did not work for composer or npm results and compiled media files.
Using a full installation package with the updater produces problems when people to not delete the installation folder after that. That's why it is inhibited with my PR. All that was discussed in past in issue #38702 and PR #38707 .
I have tested this item ✅ successfully on fb43527
Tested all possible combinations with an invalid zip package, one which doesn't contain joomla, one which was a full Joomla, had an empty version and was a too high version. Also tested a valid update. All of them worked with both zip approaches.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/41757.
MacJoom
- | Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-09-25 20:46:44 |
| Closed_By | ⇒ | MacJoom |
Ready for review and tests.