summaryrefslogtreecommitdiffstats
path: root/web/html
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-03-30 11:44:05 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2011-03-30 11:55:32 +0200
commit47faf88f14bd420163e29e3cd583e741e63ce929 (patch)
tree7ff3d3476943d89038bcbc87d33f4b586da9fd87 /web/html
parent2eb45e7d9ed0c538ff920b3e5243dfd83bc07826 (diff)
downloadaurweb-47faf88f14bd420163e29e3cd583e741e63ce929.tar.xz
Check if submitted files are in GZIP format.
This is quite hacky but this way we can ensure users get comprehensible error messages when trying to upload ".tar.xz" or ".tar.bz2" files. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/html')
-rw-r--r--web/html/pkgsubmit.php18
1 files changed, 16 insertions, 2 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index edffbfa..72ada9d 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -26,18 +26,32 @@ if ($_COOKIE["AURSID"]):
$error = __("Error - No file uploaded");
}
+ # Check whether the file is gzip'ed
+ if (!$error) {
+ $fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
+ fseek($fh, 0, SEEK_SET);
+ $magic = end(unpack('v', fread($fh, 2)));
+
+ if ($magic != 0x8b1f) {
+ $error = __("Error - unsupported file format (please submit gzip'ed tarballs generated by makepkg(8) only).");
+ }
+ }
+
# Check uncompressed file size (ZIP bomb protection)
if (!$error && $MAX_FILESIZE_UNCOMPRESSED) {
- $fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
fseek($fh, -4, SEEK_END);
$filesize_uncompressed = end(unpack('V', fread($fh, 4)));
- fclose($fh);
if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) {
$error = __("Error - uncompressed file size too large.");
}
}
+ # Close file handle before extracting stuff
+ if (is_resource($fh)) {
+ fclose($fh);
+ }
+
$uid = uid_from_sid($_COOKIE['AURSID']);
if (!$error) {