From 2fe1158c58e8eb7fc914f2671fe29b6951bc27a3 Mon Sep 17 00:00:00 2001
From: Anssi Hannula <anssi.hannula@iki.fi>
Date: Sun, 10 Oct 2010 20:14:42 +0300
Subject: [PATCH 3/7] fixed: disallow addon zip files that have unexpected structure

Check that the root directory of addon zip files contains a single
directory with no other files.

This will prevent pollution of addon directory when trying to install
invalid addon zip files.
---
 xbmc/GUIWindowAddonBrowser.cpp |   39 +++++++++++++++------------------------
 1 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/xbmc/GUIWindowAddonBrowser.cpp b/xbmc/GUIWindowAddonBrowser.cpp
index b6cbc25..66f965a 100644
--- a/xbmc/GUIWindowAddonBrowser.cpp
+++ b/xbmc/GUIWindowAddonBrowser.cpp
@@ -318,30 +318,10 @@ void CGUIWindowAddonBrowser::OnJobComplete(unsigned int jobID,
         }
         else
         {
-          CURL url(strFolder);
           // zip extraction job is done
-          if (url.GetProtocol() == "zip")
-          {
-            CFileItemList list;
-            CDirectory::GetDirectory(url.Get(),list);
-            CStdString dirname = "";
-            for (int i=0;i<list.Size();++i)
-            {
-              if (list[i]->m_bIsFolder)
-              {
-                dirname = list[i]->GetLabel();
-                break;
-              }
-            }
-            strFolder = CUtil::AddFileToFolder("special://home/addons/",
-                                               dirname);
-          }
-          else
-          {
-            CUtil::RemoveSlashAtEnd(strFolder);
-            strFolder = CUtil::AddFileToFolder("special://home/addons/",
-                                               CUtil::GetFileName(strFolder));
-          }
+          CUtil::RemoveSlashAtEnd(strFolder);
+          strFolder = CUtil::AddFileToFolder("special://home/addons/",
+                                             CUtil::GetFileName(strFolder));
           AddonPtr addon;
           bool update=false;
           if (CAddonMgr::Get().LoadAddonDescription(strFolder, addon))
@@ -420,7 +400,18 @@ unsigned int CGUIWindowAddonBrowser::AddJob(const CStdString& path)
     {
       CStdString archive;
       CUtil::CreateArchivePath(archive,"zip",package,"");
-      list.Add(CFileItemPtr(new CFileItem(archive,true)));
+
+      CFileItemList archivedFiles;
+      CDirectory::GetDirectory(archive, archivedFiles);
+
+      if (archivedFiles.Size() != 1 || !archivedFiles[0]->m_bIsFolder)
+      {
+        CFile::Delete(package);
+        ReportInstallErrorZip(CUtil::GetFileName(path));
+        CLog::Log(LOGERROR, "Package %s is not a valid addon", CUtil::GetFileName(path).c_str());
+        return false;
+      }
+      list.Add(CFileItemPtr(new CFileItem(archivedFiles[0]->m_strPath,true)));
       dest = "special://home/addons/";
     }
     else
-- 
1.7.3