extension: validate base name to prevent path traversal on install

The extension base name flowed unsanitized from an uploaded archive's
plugin.info.txt (or an extension id) into getInstallDir(), wh

extension: validate base name to prevent path traversal on install

The extension base name flowed unsanitized from an uploaded archive's
plugin.info.txt (or an extension id) into getInstallDir(), where
fullpath() collapses '..' segments. A crafted base such as
'../../../../evil' therefore resolved outside lib/plugins/, letting
dircopy() write the archive contents to an arbitrary web-writable path.

Route every base assignment through a new setBase() that rejects
anything other than a bare extension name.

Note: this is not really a security concern since plugins can execute
arbitrary code by design. The is mostly to make sure, plugin code is not
installed accidentally at the wrong location.

show more ...