summaryrefslogtreecommitdiffstats
path: root/web/html/pkgsubmit.php
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2014-04-05 02:40:16 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2014-04-05 12:21:36 +0200
commit8921e4deb946967b7cdd4007ab7e989f7b31573a (patch)
tree63f715228647dac5fa70d0fe3c312421a8f560bd /web/html/pkgsubmit.php
parentafb02a10c64f2f45717dc1133e89e567e5d9e5d7 (diff)
downloadaurweb-8921e4deb946967b7cdd4007ab7e989f7b31573a.tar.xz
Do not allow for overwriting arbitrary packages
A package should only be overwritten if it already belongs to the package base that is trying to overwrite it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/html/pkgsubmit.php')
-rw-r--r--web/html/pkgsubmit.php44
1 files changed, 23 insertions, 21 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 13a67d8..cf5e03b 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -410,33 +410,35 @@ if ($uid):
}
/* Upload PKGBUILD and tarball. */
- if (!$error) {
- /*
- * First, check whether this package already exists and
- * whether it can be overwritten.
- */
- if (can_submit_pkgbase($pkgbase_name, $_COOKIE["AURSID"])) {
- if (file_exists($incoming_pkgdir)) {
- /*
- * Blow away the existing directory and
- * its contents.
- */
- rm_tree($incoming_pkgdir);
- }
+ if (!$error && !can_submit_pkgbase($pkgbase_name, $_COOKIE["AURSID"])) {
+ $error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pkgbase_name, "</strong>");
+ }
- /*
- * The mode is masked by the current umask, so
- * not as scary as it looks.
- */
- if (!mkdir($incoming_pkgdir, 0777, true)) {
- $error = __( "Could not create directory %s.", $incoming_pkgdir);
+ if (!$error) {
+ foreach ($pkginfo as $pi) {
+ if (!can_submit_pkg($pi['pkgname'], $base_id)) {
+ $error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pi['pkgname'], "</strong>");
+ break;
}
- } else {
- $error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pkg_name, "</strong>");
}
}
if (!$error) {
+ /*
+ * Blow away the existing directory and its contents.
+ */
+ if (file_exists($incoming_pkgdir)) {
+ rm_tree($incoming_pkgdir);
+ }
+
+ /*
+ * The mode is masked by the current umask, so not as
+ * scary as it looks.
+ */
+ if (!mkdir($incoming_pkgdir, 0777, true)) {
+ $error = __( "Could not create directory %s.", $incoming_pkgdir);
+ }
+
if (!chdir($incoming_pkgdir)) {
$error = __("Could not change directory to %s.", $incoming_pkgdir);
}