From: Mark Hanna <mark@skvare.com>
Date: Sat, 21 Oct 2017 21:55:32 +0000 (-0500)
Subject: CRM-20906 backport for 4.6
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=f76ffc7261b513d9809b489cfd0f27480bfdfb7e;p=civicrm-core.git

CRM-20906 backport for 4.6
---

diff --git a/CRM/Admin/Form/Extensions.php b/CRM/Admin/Form/Extensions.php
index fcd7f1ce3c..927db31af4 100644
--- a/CRM/Admin/Form/Extensions.php
+++ b/CRM/Admin/Form/Extensions.php
@@ -51,6 +51,10 @@ class CRM_Admin_Form_Extensions extends CRM_Admin_Form {
       $this, FALSE, 0
     );
 
+    if (!CRM_Utils_Type::validate($this->_key, 'ExtensionKey')) {
+      throw new CRM_Core_Exception('Extension Key does not match expected standard');
+    }
+
     $session = CRM_Core_Session::singleton();
     $url = CRM_Utils_System::url('civicrm/admin/extensions', 'reset=1&action=browse');
     $session->pushUserContext($url);
diff --git a/CRM/Utils/Rule.php b/CRM/Utils/Rule.php
index aff62b8ac6..0c3aea4465 100644
--- a/CRM/Utils/Rule.php
+++ b/CRM/Utils/Rule.php
@@ -857,4 +857,16 @@ class CRM_Utils_Rule {
     return ($key) ? CRM_Core_Key::valid($key) : FALSE;
   }
 
+  /**
+   * @param string $key Extension Key to check
+   * @return bool
+   */
+  public static function checkExtensionKeyIsValid($key = NULL) {
+
+    if (!empty($key) && !preg_match('/^[0-9a-zA-Z._-]+$/', $key)) {
+      return FALSE;
+    }
+    return TRUE;
+  }
+
 }
diff --git a/CRM/Utils/Type.php b/CRM/Utils/Type.php
index 038d49713e..b2f87ffbe1 100644
--- a/CRM/Utils/Type.php
+++ b/CRM/Utils/Type.php
@@ -417,6 +417,12 @@ class CRM_Utils_Type {
         }
         break;
 
+      case 'ExtensionKey':
+        if (CRM_Utils_Rule::checkExtensionKeyIsValid($data)) {
+          return $data;
+        }
+        break;
+
       default:
         CRM_Core_Error::fatal("Cannot recognize $type for $data");
         break;
diff --git a/tests/phpunit/CRM/Utils/RuleTest.php b/tests/phpunit/CRM/Utils/RuleTest.php
index d3be0ee46c..168efeb101 100644
--- a/tests/phpunit/CRM/Utils/RuleTest.php
+++ b/tests/phpunit/CRM/Utils/RuleTest.php
@@ -80,4 +80,24 @@ class CRM_Utils_RuleTest extends CiviUnitTestCase {
     );
   }
 
+  /**
+   * @return array
+   */
+  public function extensionKeyTests() {
+    $keys = array();
+    $keys[] = array('org.civicrm.multisite', TRUE);
+    $keys[] = array('au.org.contribute2016', TRUE);
+    $keys[] = array('%3Csvg%20onload=alert(0)%3E', FALSE);
+    return $keys;
+  }
+
+  /**
+   * @param $key
+   * @param $expectedResult
+   * @dataProvider extensionKeyTests
+   */
+  public function testExtensionKeyValid($key, $expectedResult) {
+    $this->assertEquals($expectedResult, CRM_Utils_Rule::checkExtensionKeyIsValid($key));
+  }
+
 }