diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2016-11-11 18:53:26 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-11-11 18:53:26 +0100 |
| commit | 7cb0df28e2d99237c92922d9bf2fd203f0f1d8c0 (patch) | |
| tree | 28cd0d4ba40cd24c23cf1b89152825964abf1cf0 /lib | |
| parent | d61c8d74bbba9901c453a5f9be9a4ffa6cce4291 (diff) | |
| download | nextcloud-server-7cb0df28e2d99237c92922d9bf2fd203f0f1d8c0.tar.gz nextcloud-server-7cb0df28e2d99237c92922d9bf2fd203f0f1d8c0.zip | |
Prevent downgrade attacks for apps
We should verify the app versions when installing a new update, otherwise this could result in downgrade attacks when an attacker just copies the old signature.
Plus it prevents the case that in case of a bug in the appstore actually an older version gets installed.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Installer.php | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/private/Installer.php b/lib/private/Installer.php index aff2d2194aa..db71f7b1432 100644 --- a/lib/private/Installer.php +++ b/lib/private/Installer.php @@ -278,6 +278,20 @@ class Installer { ); } + // Check if the version is lower than before + $currentVersion = OC_App::getAppVersion($appId); + $newVersion = (string)$xml->version; + if(version_compare($currentVersion, $newVersion) === 1) { + throw new \Exception( + sprintf( + 'App for id %s has version %s and tried to update to lower version %s', + $appId, + $currentVersion, + $newVersion + ) + ); + } + $baseDir = OC_App::getInstallPath() . '/' . $appId; // Remove old app with the ID if existent OC_Helper::rmdirr($baseDir); |