diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-04-05 02:40:16 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-04-05 12:21:36 +0200 |
commit | 8921e4deb946967b7cdd4007ab7e989f7b31573a (patch) | |
tree | 63f715228647dac5fa70d0fe3c312421a8f560bd /web/html/pkgsubmit.php | |
parent | afb02a10c64f2f45717dc1133e89e567e5d9e5d7 (diff) | |
download | aurweb-8921e4deb946967b7cdd4007ab7e989f7b31573a.tar.xz |
Do not allow for overwriting arbitrary packages
A package should only be overwritten if it already belongs to the
package base that is trying to overwrite it.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/html/pkgsubmit.php')
-rw-r--r-- | web/html/pkgsubmit.php | 44 |
1 files changed, 23 insertions, 21 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 13a67d8..cf5e03b 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -410,33 +410,35 @@ if ($uid): } /* Upload PKGBUILD and tarball. */ - if (!$error) { - /* - * First, check whether this package already exists and - * whether it can be overwritten. - */ - if (can_submit_pkgbase($pkgbase_name, $_COOKIE["AURSID"])) { - if (file_exists($incoming_pkgdir)) { - /* - * Blow away the existing directory and - * its contents. - */ - rm_tree($incoming_pkgdir); - } + if (!$error && !can_submit_pkgbase($pkgbase_name, $_COOKIE["AURSID"])) { + $error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pkgbase_name, "</strong>"); + } - /* - * The mode is masked by the current umask, so - * not as scary as it looks. - */ - if (!mkdir($incoming_pkgdir, 0777, true)) { - $error = __( "Could not create directory %s.", $incoming_pkgdir); + if (!$error) { + foreach ($pkginfo as $pi) { + if (!can_submit_pkg($pi['pkgname'], $base_id)) { + $error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pi['pkgname'], "</strong>"); + break; } - } else { - $error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pkg_name, "</strong>"); } } if (!$error) { + /* + * Blow away the existing directory and its contents. + */ + if (file_exists($incoming_pkgdir)) { + rm_tree($incoming_pkgdir); + } + + /* + * The mode is masked by the current umask, so not as + * scary as it looks. + */ + if (!mkdir($incoming_pkgdir, 0777, true)) { + $error = __( "Could not create directory %s.", $incoming_pkgdir); + } + if (!chdir($incoming_pkgdir)) { $error = __("Could not change directory to %s.", $incoming_pkgdir); } |