diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-03-30 20:26:13 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-03-30 20:49:21 +0200 |
commit | a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a (patch) | |
tree | eb06b4e2ba2aadba72bcd1fc362816f4108d2491 /web | |
parent | 0a625ae8ff737f471ee4e29853ba57db20352b1a (diff) | |
download | aurweb-a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a.tar.xz |
Be more restrictive with source tarball contents.
Reject tarballs containing more than one directory or files outside a
directory.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
-rw-r--r-- | web/html/pkgsubmit.php | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 954f1ce..05cc866 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -59,17 +59,28 @@ if ($_COOKIE["AURSID"]): # Extract PKGBUILD into a string $pkgbuild_raw = ''; + $dircount = 0; foreach ($tar->listContent() as $tar_file) { if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) { $pkgbuild_raw = $tar->extractInString($tar_file['filename']); + } + elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) { + if (++$dircount > 1) { + $error = __("Error - source tarball may not contain more than one directory."); + break; + } + } + elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) { + $error = __("Error - source tarball may not contain files outside a directory."); break; } elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) { - $error = __("Error - source tarball may not contain subdirectories."); + $error = __("Error - source tarball may not contain nested subdirectories."); + break; } } - if (empty($pkgbuild_raw)) { + if (!$error && empty($pkgbuild_raw)) { $error = __("Error trying to unpack upload - PKGBUILD does not exist."); } } |