summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2010-11-04 18:10:56 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2011-01-19 23:18:09 +0100
commitec0dfc27deb246ee7d7f19fd5290e499805869d2 (patch)
tree3f267383b82cc4ef34f3c3e51b10bb0795b948e6
parent233f67b87edf0d063c0f56cece50c2f1bb1a31ff (diff)
downloadaurweb-ec0dfc27deb246ee7d7f19fd5290e499805869d2.tar.xz
Removed code for tarball extraction.
Automatic tarball extraction was vulnerable in different ways. Users should also only use source tarballs to build packages, so this has been removed completely. From now on, only the PKGBUILD is extracted in a secure manner. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--UPGRADING23
-rw-r--r--web/html/pkgsubmit.php60
-rw-r--r--web/template/pkg_details.php5
3 files changed, 38 insertions, 50 deletions
diff --git a/UPGRADING b/UPGRADING
index bbf60f0..468e995 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -3,9 +3,32 @@ Upgrading
From 1.7.0 to 1.8.0
-------------------
+
+1. Run the following MySQL statements:
+
+----
ALTER TABLE Packages ADD OutOfDateTS BIGINT UNSIGNED NULL DEFAULT NULL;
UPDATE Packages SET OutOfDateTS = UNIX_TIMESTAMP() WHERE OutOfDate = 1;
ALTER TABLE Packages DROP OutOfDate;
+----
+
+2. You will need to update all packages which are stored in the incoming dir as
+in 1.8.0, source tarballs are no longer extracted automatically and PKGBUILDs
+are from now on located in the same subdirectories as the tarballs themselves.
+The following script will do the conversion automatically when being run inside
+"$INCOMING_DIR":
+
+----
+#!/bin/bash
+
+for pkg in *; do
+ if [ -d "${pkg}" -a ! -f "${pkg}/PKGBUILD" ]; then
+ pkgbuild_file=$(find -P "${pkg}" -name PKGBUILD)
+ [ -n "${pkgbuild_file}" ] && \
+ cp "${pkgbuild_file}" "${pkg}/PKGBUILD"
+ fi
+done
+----
From 1.6.0 to 1.7.0
-------------------
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 5ce945d..68f8634 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -28,34 +28,19 @@ if ($_COOKIE["AURSID"]):
$uid = uid_from_sid($_COOKIE['AURSID']);
- # Temporary dir to put the tarball contents
- $tempdir = UPLOAD_DIR . $uid . time();
-
if (!$error) {
- if (!@mkdir($tempdir)) {
- $error = __("Could not create incoming directory: %s.", $tempdir);
- } else {
- if (!@chdir($tempdir)) {
- $error = __("Could not change directory to %s.", $tempdir);
- } else {
- $tar = new Archive_Tar($_FILES['pfile']['tmp_name']);
- $extract = $tar->extract();
+ $tar = new Archive_Tar($_FILES['pfile']['tmp_name']);
- if (!$extract) {
- $error = __("Unknown file format for uploaded file.");
- }
+ # Extract PKGBUILD into a string
+ $pkgbuild_raw = '';
+ foreach ($tar->listContent() as $tar_file) {
+ if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
+ $pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+ break;
}
}
- }
-
- # Find the PKGBUILD
- if (!$error) {
- $pkgbuild = File_Find::search('PKGBUILD', $tempdir);
- if (count($pkgbuild)) {
- $pkgbuild = $pkgbuild[0];
- $pkg_dir = dirname($pkgbuild);
- } else {
+ if (empty($pkgbuild_raw)) {
$error = __("Error trying to unpack upload - PKGBUILD does not exist.");
}
}
@@ -67,14 +52,13 @@ if ($_COOKIE["AURSID"]):
# process PKGBUILD - remove line concatenation
#
$pkgbuild = array();
- $fp = fopen($pkg_dir."/PKGBUILD", "r");
$line_no = 0;
$lines = array();
$continuation_line = 0;
$current_line = "";
$paren_depth = 0;
- while (!feof($fp)) {
- $line = trim(fgets($fp));
+ foreach (split("\n", $pkgbuild_raw) as $line) {
+ $line = trim($line);
# Remove comments
$line = preg_replace('/\s*#.*/', '', $line);
@@ -109,7 +93,6 @@ if ($_COOKIE["AURSID"]):
$line_no++;
}
}
- fclose($fp);
# Now process the lines and put any var=val lines into the
# 'pkgbuild' array.
@@ -239,37 +222,18 @@ if ($_COOKIE["AURSID"]):
if (!@mkdir($incoming_pkgdir)) {
$error = __( "Could not create directory %s.", $incoming_pkgdir);
}
-
- rename($pkg_dir, $incoming_pkgdir . "/" . $pkg_name);
} else {
$error = __( "You are not allowed to overwrite the %h%s%h package.", "<b>", $pkg_name, "</b>");
}
}
- # Re-tar the package for consistency's sake
if (!$error) {
if (!@chdir($incoming_pkgdir)) {
$error = __("Could not change directory to %s.", $incoming_pkgdir);
}
- }
-
- if (!$error) {
- $tar = new Archive_Tar($pkg_name . '.tar.gz');
- $create = $tar->create(array($pkg_name));
-
- if (!$create) {
- $error = __("Could not re-tar");
- }
- }
-
- # Chmod files after everything has been done.
- if (!$error && !chmod_group($incoming_pkgdir)) {
- $error = __("Could not chmod directory %s.", $incoming_pkgdir);
- }
- # Whether it failed or not we can clean this out
- if (file_exists($tempdir)) {
- rm_rf($tempdir);
+ file_put_contents('PKGBUILD', $pkgbuild_raw);
+ rename($_FILES['pfile']['tmp_name'], $pkg_name . '.tar.gz');
}
# Update the backend database
diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php
index 7c6356d..8dd3d28 100644
--- a/web/template/pkg_details.php
+++ b/web/template/pkg_details.php
@@ -77,8 +77,9 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[
<p><span class='f3'>
<?php
if ($row['LocationID'] == 2) {
- $urlpath = URL_DIR . $row['Name'] . '/' . $row['Name'];
- print "<a href='$urlpath.tar.gz'>".__("Tarball")."</a> :: <a href='$urlpath'>".__("Files")."</a> :: <a href='$urlpath/PKGBUILD'>PKGBUILD</a></span>";
+ $urlpath = URL_DIR . $row['Name'];
+ print "<a href='$urlpath/" . $row['Name'] . ".tar.gz'>".__("Tarball")."</a> :: ";
+ print "<a href='$urlpath/PKGBUILD'>".__("PKGBUILD")."</a></span>";
}
if ($row["OutOfDateTS"] !== NULL) {