diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-03-19 23:18:48 +0100 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-03-19 23:29:58 +0100 |
commit | 1f36664e9f55b175472436973a238aa36bd58bb2 (patch) | |
tree | 6edfb49d7d8ba0369e88eabbf4e708ae96646816 /web | |
parent | 1e29bd2217f4320d3df156c448bf16aaeaec53d6 (diff) | |
download | aurweb-1f36664e9f55b175472436973a238aa36bd58bb2.tar.xz |
web/html/pkgsubmit.php: Revamp tarball validation
* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.
The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:
PaxHeader/xcursor-protozoa
xcursor-protozoa/
xcursor-protozoa/PaxHeader/PKGBUILD
xcursor-protozoa/PKGBUILD
This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.
Addresses FS#28802.
Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
-rw-r--r-- | web/html/pkgsubmit.php | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 75a4b69..566890b 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -65,23 +65,25 @@ if ($uid): $pkgbuild_raw = ''; $dircount = 0; foreach ($tar->listContent() as $tar_file) { - if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) { - $pkgbuild_raw = $tar->extractInString($tar_file['filename']); + if ($tar_file['typeflag'] == 0) { + if (strchr($tar_file['filename'], '/') === false) { + $error = __("Error - source tarball may not contain files outside a directory."); + break; + } + elseif (substr($tar_file['filename'], -9) == '/PKGBUILD') { + $pkgbuild_raw = $tar->extractInString($tar_file['filename']); + } } - elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) { - if (++$dircount > 1) { + elseif ($tar_file['typeflag'] == 5) { + if (substr_count($tar_file['filename'], "/") > 1) { + $error = __("Error - source tarball may not contain nested subdirectories."); + break; + } + elseif (++$dircount > 1) { $error = __("Error - source tarball may not contain more than one directory."); break; } } - elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) { - $error = __("Error - source tarball may not contain files outside a directory."); - break; - } - elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) { - $error = __("Error - source tarball may not contain nested subdirectories."); - break; - } } if (!$error && empty($pkgbuild_raw)) { |