MDL-49329 admin: Validate the contents of the cached plugin ZIP package

diff --git a/lib/classes/update/code_manager.php b/lib/classes/update/code_manager.php
index a537f33..6d6d320 100644 (file)
--- a/lib/classes/update/code_manager.php
+++ b/lib/classes/update/code_manager.php
@@ -104,8 +104,10 @@ class code_manager {
         // The cache location for the file.
         $distfile = $this->temproot.'/distfiles/'.$md5.'.zip';
 
-        if (is_readable($distfile)) {
+        if (is_readable($distfile) and md5_file($distfile) === $md5) {
             return $distfile;
+        } else {
+            @unlink($distfile);
         }
 
         // Download the file into a temporary location.

diff --git a/lib/tests/update_code_manager_test.php b/lib/tests/update_code_manager_test.php
index fa61144..e1652c4 100644 (file)
--- a/lib/tests/update_code_manager_test.php
+++ b/lib/tests/update_code_manager_test.php
@@ -54,6 +54,21 @@ class core_update_code_manager_testcase extends advanced_testcase {
         $this->assertEquals(3, $codeman->downloadscounter);
     }
 
+    public function test_get_remote_plugin_zip_corrupted_cache() {
+
+        $temproot = make_request_directory();
+        $codeman = new \core\update\testable_code_manager(null, $temproot);
+
+        file_put_contents($temproot.'/distfiles/'.md5('http://valid/').'.zip', 'http://invalid/');
+
+        // Even if the cache file is already there, its name does not match its
+        // actual content. It must be removed and re-downaloaded.
+        $returned = $codeman->get_remote_plugin_zip('http://valid/', md5('http://valid/'));
+
+        $this->assertEquals(basename($returned), md5('http://valid/').'.zip');
+        $this->assertEquals(file_get_contents($returned), 'http://valid/');
+    }
+
     public function test_move_plugin_directory() {
         $codeman = new \core\update\testable_code_manager();