From 5db36b5fe9a1d5b90f5f029dff109652e4bbe2ec Mon Sep 17 00:00:00 2001
From: Rasmus Fuhse <krassmus@gmail.com>
Date: Tue, 24 Mar 2015 22:21:39 +0100
Subject: [PATCH] re #17 : add migration

---
 controllers/myplugins.php            |  5 +++++
 controllers/update.php               | 23 +++++++++++++++++++++--
 migrations/03_add_release_secret.php | 13 +++++++++++++
 views/myplugins/_edit_release.php    | 11 +++++++++++
 4 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 migrations/03_add_release_secret.php

diff --git a/controllers/myplugins.php b/controllers/myplugins.php
index 611f55a..5fea9b8 100644
--- a/controllers/myplugins.php
+++ b/controllers/myplugins.php
@@ -153,6 +153,11 @@ class MypluginsController extends MarketController
         if ($release_data['type'] === "zipfile") {
             $this->release['repository_download_url'] = null;
         }
+        if (!Request::get("use_secret")) {
+            $this->release['repository_secret'] = null;
+        } elseif(!$this->release['repository_secret']) {
+            $this->release['repository_secret'] = md5(uniqid());
+        }
         $this->release->installFile();
         $this->release->store();
 
diff --git a/controllers/update.php b/controllers/update.php
index 3810a7b..f9a2425 100644
--- a/controllers/update.php
+++ b/controllers/update.php
@@ -15,10 +15,29 @@ class UpdateController extends MarketController
             die();
         }
         if ($release->getSecurityHash() === Request::get("s")) {
-            $release->installFile();
-            $this->render_text("OK");
+            if ($release['repository_secret']
+                    && !$this->verify_secret($release['repository_secret'])) {
+                $this->render_text("Incorrect payload.");
+                return;
+            } else {
+                $release->installFile();
+                $this->render_text("OK");
+            }
         } else {
             $this->render_text("Insecure request.");
         }
     }
+
+    protected function verify_secret($secret)
+    {
+        if (!isset($_SERVER['HTTP_X_HUB_SIGNATURE'])) {
+            return false;
+        }
+        $signatureHeader = $_SERVER['HTTP_X_HUB_SIGNATURE'];
+        $payload = file_get_contents('php://input');
+        list($algorithm, $hash) = explode('=', $signatureHeader, 2);
+
+        $calculatedHash = hash_hmac($algorithm, $payload, $secret);
+        return $calculatedHash === $hash;
+    }
 }
\ No newline at end of file
diff --git a/migrations/03_add_release_secret.php b/migrations/03_add_release_secret.php
new file mode 100644
index 0000000..46b2c60
--- /dev/null
+++ b/migrations/03_add_release_secret.php
@@ -0,0 +1,13 @@
+<?php
+
+class AddReleaseSecret extends Migration {
+    
+    public function up() {
+        DBManager::get()->exec("
+            ALTER TABLE `pluginmarket_releases`
+            ADD `repository_secret` VARCHAR( 32 ) NULL
+            AFTER `repository_download_url` ;
+        ");
+    }
+	
+}
\ No newline at end of file
diff --git a/views/myplugins/_edit_release.php b/views/myplugins/_edit_release.php
index adc967c..179c5bb 100644
--- a/views/myplugins/_edit_release.php
+++ b/views/myplugins/_edit_release.php
@@ -39,6 +39,10 @@
             <?= _("Download-URL des Branches oder des Tags") ?>
             <input type="text" name="release[repository_download_url]" value="<?= htmlReady($release['repository_download_url']) ?>">
         </label>
+        <label>
+            <?= _("Automatisches Update absichern �ber Sicherheitstoken (optional)") ?>
+            <input type="checkbox" name="use_secret"<? $release->isNew() || $release['repository_secret'] ? " checked" : "" ?> value="1">
+        </label>
         <p class="info">
             <?= _("Github.com und gitlab bieten zu jedem Branch und Tag den Download als ZIP-Datei an. Klicken Sie dort mit rechter Maustaste auf den Downloadbutton und kopieren Sie die URL, um sie hier einzuf�gen. Nach dem Speichern hier k�nnen Sie auf github bzw. gitlab Webhooks einrichten, damit der Marktplatz sich automatisch die neuste Version des Plugins vom Repository holt. Damit ist das Plugin auf dem Pluginmarktplatz immer brandaktuell.") ?>
         </p>
@@ -53,6 +57,13 @@
             <?= _("Webhook-URL zum Einf�gen in github oder gitlab:") ?>
             <input type="text" readonly style="border: thin solid #cccccc; background-color: #eeeeee; width:100%;" value="<?= $controller->absolute_url_for('update/release/' . $release->getId(), array('s' => $release->getSecurityHash())) ?>">
         </p>
+        <? if ($release['repository_secret']) : ?>
+            <label>
+                <?= _("Secret (optional)") ?>
+                <input type="text" readonly style="border: thin solid #cccccc; background-color: #eeeeee;" name="release[repository_secret]" value="<?= htmlReady($release['repository_secret']) ?>">
+            </label>
+        <? endif ?>
+
             <? if ($domain_warning) : ?>
             <p class="info"><?= htmlReady($domain_warning)  ?></p>
             <? endif ?>
-- 
GitLab