fix(installer): ensure valid tempFile & extractDir

susnux · skjnldsv · commit d4fdf5cee002 · 2025-08-12T09:06:32.000+02:00
Signed-off-by: skjnldsv &lt;skjnldsv@protonmail.com&gt;
diff --git a/build/psalm-baseline.xml b/build/psalm-baseline.xml
@@ -2842,9 +2842,6 @@
       <code><![CDATA[$matches[0][$last_match]]]></code>
       <code><![CDATA[$matches[1][$last_match]]]></code>
     </InvalidArrayOffset>
-    <InvalidScalarArgument>
-      <code><![CDATA[$path]]></code>
-    </InvalidScalarArgument>
     <UndefinedInterfaceMethod>
       <code><![CDATA[getQuota]]></code>
     </UndefinedInterfaceMethod>
diff --git a/lib/private/Installer.php b/lib/private/Installer.php
@@ -241,6 +241,10 @@ public function downloadApp(string $appId, bool $allowUnstable = false): void {
 
 				// Download the release
 				$tempFile = $this->tempManager->getTemporaryFile('.tar.gz');
+				if ($tempFile === false) {
+					throw new \RuntimeException('Could not create temporary file for downloading app archive.');
+				}
+
 				$timeout = $this->isCLI ? 0 : 120;
 				$client = $this->clientService->newClient();
 				$client->get($app['releases'][0]['download'], ['sink' => $tempFile, 'timeout' => $timeout]);
@@ -252,8 +256,11 @@ public function downloadApp(string $appId, bool $allowUnstable = false): void {
 				if ($verified === true) {
 					// Seems to match, let's proceed
 					$extractDir = $this->tempManager->getTemporaryFolder();
-					$archive = new TAR($tempFile);
+					if ($extractDir === false) {
+						throw new \RuntimeException('Could not create temporary directory for unpacking app.');
+					}
 
+					$archive = new TAR($tempFile);
 					if (!$archive->extract($extractDir)) {
 						$errorMessage = 'Could not extract app ' . $appId;
 
diff --git a/lib/private/legacy/OC_Helper.php b/lib/private/legacy/OC_Helper.php
@@ -206,7 +206,7 @@ public static function canExecute($name, $path = false) {
 		$exts = [''];
 		$check_fn = 'is_executable';
 		// Default check will be done with $path directories :
-		$dirs = explode(PATH_SEPARATOR, $path);
+		$dirs = explode(PATH_SEPARATOR, (string) $path);
 		// WARNING : We have to check if open_basedir is enabled :
 		$obd = OC::$server->get(IniGetWrapper::class)->getString('open_basedir');
 		if ($obd != 'none') {
