public function installPackage()
{
$expected = ['package', 'supplier', 'type'];
if (!\Airship\all_keys_exist($expected, $_POST)) {
\Airship\json_response(['status' => 'ERROR', 'message' => \__('Incomplete request.')]);
}
if ($this->skyport->isLocked()) {
$locked = true;
if ($this->skyport->isPasswordLocked() && !empty($_POST['password'])) {
$password = new HiddenString($_POST['password']);
if ($this->skyport->tryUnlockPassword($password)) {
$_SESSION['airship_install_lock_override'] = true;
$locked = false;
}
unset($password);
}
if ($locked) {
if ($this->skyport->isPasswordLocked()) {
\Airship\json_response(['status' => 'PROMPT', 'message' => \__('The skyport is locked. To unlock the skyport, please provide the password.')]);
}
\Airship\json_response(['status' => 'ERROR', 'message' => \__('The skyport is locked. You cannot install packages from the web interface.')]);
}
}
try {
$filter = new SkyportFilter();
$_POST = $filter($_POST);
} catch (\TypeError $ex) {
$this->log("Input violation", LogLevel::ALERT, \Airship\throwableToArray($ex));
\Airship\json_response(['status' => 'ERROR', 'message' => \__('Invalid input.')]);
}
/**
* @security We need to guarantee RCE isn't possible:
*/
$args = \implode(' ', [\escapeshellarg(Util::charWhitelist($_POST['type'], Util::PRINTABLE_ASCII)), \escapeshellarg(Util::charWhitelist($_POST['supplier'], Util::PRINTABLE_ASCII) . '/' . Util::charWhitelist($_POST['package'], Util::PRINTABLE_ASCII))]);
$output = \shell_exec('php -dphar.readonly=0 ' . ROOT . '/CommandLine/install.sh ' . $args);
\Airship\json_response(['status' => 'OK', 'message' => $output]);
}