XF\Service\AddOnArchive\Validator::validate() is not particularly robust is addon.json is in a weird state

Xon · Monday at 9:43 AM

PHP:

if (!$zip->extractTo(File::createTempDir(), $jsonFile))
{
    $error = \XF::phrase('files_could_not_be_extracted_from_add_on_archive');
    return false;
}

$json = json_decode($zip->getFromName($jsonFile), true);
$addOnManager = $this->app->addOnManager();

$title = $json['title'];
$newVersionId = $json['version_id'];

This extracts the the addon file twice, and if the addon file fails to decode this can silently fail on production copies instead of giving a saner error message.

Something like the following would be more robust and avoid extracting the file twice:

PHP:

$raw = $zip->getFromName($jsonFile);
if (!is_string($raw))
{
    $error = \XF::phrase('files_could_not_be_extracted_from_add_on_archive');
    return false;
}
$json = @json_decode($raw, true);
if (!is_array($json))
{
    $error = json_last_error() ? json_last_error_msg() : \XF::phrase('unexpected_addon_json_contents');
    return false;
}

$addOnManager = $this->app->addOnManager();

$title = $json['title'] ?? $this->addOnId;
$newVersionId = $json['version_id'] ?? 0;

XF\Service\AddOnArchive\Validator::validate() is not particularly robust is addon.json is in a weird state

Xon

Well-known member

We value your privacy