OF-1020: Admin Console Remote File Inclusion

src/java/org/jivesoftware/openfire/update/UpdateManager.java

@@ -81,7 +81,7 @@ public class UpdateManager extends BasicModule {
     /**
      * URL of the servlet (JSP) that provides the "check for update" service.
      */
-    private static String updateServiceURL = "http://www.igniterealtime.org/projects/openfire/versions.jsp";
+    private static String updateServiceURL = "https://www.igniterealtime.org/projects/openfire/versions.jsp";
 
     /**
      * Information about the available server update.
@@ -275,6 +275,8 @@ public class UpdateManager extends BasicModule {
             hc.setProxy(getProxyHost(), getProxyPort());
             httpClient.setHostConfiguration(hc);
         }
+        
+        if (isKnownPlugin(url)) {
 			GetMethod getMethod = new GetMethod(url);
 			//execute the method
 			try {
@@ -301,9 +303,30 @@ public class UpdateManager extends BasicModule {
 			catch (IOException e) {
 			    Log.warn("Error downloading new plugin version", e);
 			}
+        } else {
+        	Log.error("Invalid plugin download URL: " +url);
+        }
         return installed;
     }
     
+    /**
+     * Check if the plugin URL is in the known list of available plugins.
+     * 
+     * i.e. that it's an approved download source.
+     * 
+     * @param url The URL of the plugin to download.
+     * @return true if the URL is in the list. Otherwise false.
+     */
+    private boolean isKnownPlugin(String url) {
+    	for (String pluginName : availablePlugins.keySet()) {
+    		if (availablePlugins.get(pluginName).getDownloadURL().toString().equals(url)) {
+                return true;
+    		}
+    	}
+        
+        return false;
+    }
+
     /**
      * Returns true if the plugin downloaded from the specified URL has been downloaded. Plugins
      * may be downloaded but not installed. The install process may take like 30 seconds to