From 08d24b640509e20e99722e0e32fc939788512bbb Mon Sep 17 00:00:00 2001
From: Stefan Giehl <stefan@piwik.org>
Date: Fri, 17 Mar 2017 22:10:21 +0100
Subject: [PATCH] Introduces new config setting to enabled plugin upload 
 (#11445)

* introduces new config setting to enabled plugin upload (disabled by default)

* updates changelog

* updates expected screenshot

* improve message
---
 CHANGELOG.md                                    |   5 +++++
 config/global.ini.php                           |   4 ++++
 plugins/CorePluginsAdmin/Controller.php         |   4 ++++
 plugins/CorePluginsAdmin/CorePluginsAdmin.php   |   5 +++++
 plugins/Marketplace/Controller.php              |   1 +
 plugins/Marketplace/lang/en.json                |   1 +
 plugins/Marketplace/templates/overview.twig     |   7 +++++++
 ...grationTest_admin_diagnostics_configfile.png | Bin 132 -> 132 bytes
 8 files changed, 27 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab9e6c198b..9b63cc78b2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ This is the Developer Changelog for Piwik platform developers. All changes in ou
 
 The Product Changelog at **[piwik.org/changelog](http://piwik.org/changelog)** lets you see more details about any Piwik release, such as the list of new guides and FAQs, security fixes, and links to all closed issues. 
 
+## Piwik 3.0.3
+
+### Breaking Changes
+* New config setting `enable_plugin_upload` let's you enable plugin upload. This used to work without any changes before, but is disabled by default now for security reasons.
+
 ## Piwik 3.0.2
 
 ### New Features
diff --git a/config/global.ini.php b/config/global.ini.php
index af3eb6f7b8..1dc2dda825 100644
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -539,6 +539,10 @@ enable_load_data_infile = 1
 ; - links to Uninstall themes will be disabled (but user can still enable/disable themes)
 enable_plugins_admin = 1
 
+; By setting this option to 1, it will be possible to upload plugin archives directly in Piwik
+; Enabling this opens a remote code execution vulnarability, which yould be used by attackers gaining access to Piwik admin
+enable_plugin_upload = 0
+
 ; By setting this option to 0, you can prevent Super User from editing the Geolocation settings.
 enable_geolocation_admin = 1
 
diff --git a/plugins/CorePluginsAdmin/Controller.php b/plugins/CorePluginsAdmin/Controller.php
index 13872a3793..5861ae0a71 100644
--- a/plugins/CorePluginsAdmin/Controller.php
+++ b/plugins/CorePluginsAdmin/Controller.php
@@ -88,6 +88,10 @@ class Controller extends Plugin\ControllerAdmin
         static::dieIfPluginsAdminIsDisabled();
         Piwik::checkUserHasSuperUserAccess();
 
+        if (!CorePluginsAdmin::isPluginUploadEnabled()) {
+            throw new \Exception('Plugin upload disabled by config');
+        }
+
         $nonce = Common::getRequestVar('nonce', null, 'string');
 
         if (!Nonce::verifyNonce(MarketplaceController::INSTALL_NONCE, $nonce)) {
diff --git a/plugins/CorePluginsAdmin/CorePluginsAdmin.php b/plugins/CorePluginsAdmin/CorePluginsAdmin.php
index df8934519b..d1c0a3fee1 100644
--- a/plugins/CorePluginsAdmin/CorePluginsAdmin.php
+++ b/plugins/CorePluginsAdmin/CorePluginsAdmin.php
@@ -36,6 +36,11 @@ class CorePluginsAdmin extends Plugin
         return (bool) Config::getInstance()->General['enable_plugins_admin'];
     }
 
+    public static function isPluginUploadEnabled()
+    {
+        return (bool) Config::getInstance()->General['enable_plugin_upload'];
+    }
+
     public function getJsFiles(&$jsFiles)
     {
         $jsFiles[] = "libs/bower_components/jQuery.dotdotdot/src/js/jquery.dotdotdot.min.js";
diff --git a/plugins/Marketplace/Controller.php b/plugins/Marketplace/Controller.php
index 986ee5cf9a..d04e374f74 100644
--- a/plugins/Marketplace/Controller.php
+++ b/plugins/Marketplace/Controller.php
@@ -271,6 +271,7 @@ class Controller extends \Piwik\Plugin\ControllerAdmin
         $view->isPluginsAdminEnabled = CorePluginsAdmin::isPluginsAdminEnabled();
         $view->isAutoUpdatePossible = SettingsPiwik::isAutoUpdatePossible();
         $view->isAutoUpdateEnabled = SettingsPiwik::isAutoUpdateEnabled();
+        $view->isPluginUploadEnabled = CorePluginsAdmin::isPluginUploadEnabled();
 
         return $view->render();
     }
diff --git a/plugins/Marketplace/lang/en.json b/plugins/Marketplace/lang/en.json
index 1278adf2c2..f27bfc16bd 100644
--- a/plugins/Marketplace/lang/en.json
+++ b/plugins/Marketplace/lang/en.json
@@ -103,6 +103,7 @@
     "Updated": "Updated",
     "UpdatingPlugin": "Updating %1$s",
     "UploadZipFile": "Upload ZIP file",
+    "PluginUploadDisabled": "Plugin upload is disabled in config file. In order to enable this feature please update your configuration or contact your administrator",
     "LicenseKeyExpiresSoon": "Your license key expires soon, please contact %1$s.",
     "LicenseKeyIsExpired": "Your license key is expired, please contact %1$s.",
     "MultiServerEnvironmentWarning": "You cannot install or update the plugin directly as you are using Piwik on multiple servers. The plugin would be only installed on one server. Instead download the plugin and deploy it manually to all your servers.",
diff --git a/plugins/Marketplace/templates/overview.twig b/plugins/Marketplace/templates/overview.twig
index 9541ab0a16..76123fc2a1 100644
--- a/plugins/Marketplace/templates/overview.twig
+++ b/plugins/Marketplace/templates/overview.twig
@@ -31,6 +31,7 @@
             <div class="ui-confirm" id="installPluginByUpload">
                 <h2>{{ 'Marketplace_TeaserExtendPiwikByUpload'|translate }}</h2>
 
+                {% if isPluginUploadEnabled %}
                 <p class="description"> {{ 'Marketplace_AllowedUploadFormats'|translate }} </p>
 
                 <form enctype="multipart/form-data" method="post" id="uploadPluginForm"
@@ -39,6 +40,12 @@
                     <br />
                     <input class="startUpload btn" type="submit" value="{{ 'Marketplace_UploadZipFile'|translate }}">
                 </form>
+                {% else %}
+                    <p class="description"> {{ 'Marketplace_PluginUploadDisabled'|translate|raw }} </p>
+                    <pre>[General]
+enable_plugin_upload = 1</pre>
+                    <input role="yes" type="button" value="{{ 'General_Ok'|translate }}"/>
+                {% endif %}
             </div>
 
             <div class="row marketplaceActions" ng-controller="PiwikMarketplaceController as marketplace">
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png
index b4569d0fe7c006fa878da719d41a46e15e7c47bf..352b8887f70d3cb12a63956ceb835c6bdf69594d 100644
GIT binary patch
delta 85
zcmZo+Y+;;W=4X^@X_jPSX_1ngmYisqVrgn(Ze(m}mXelcY?f?lU}0&HYLS+dXqIAb
ol$4rgVQg$<ZfRj;Xk?mbYH4PYYQj~VS(U0_Y-(y`VQ9n!003+j!~g&Q

delta 85
zcmZo+Y+;;W=9g$`U}9mOl$4m5m}+TcYG#>ak&=>Zlx&=qXpokcVrZFUX>OdDYMz{8
oZf=;GmXeximSkvXXla?6mXczgWXe^XS(U0_Y-(&|Vr0k#07Z=$vj6}9

-- 
GitLab