summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--web/html/pkgsubmit.php12
-rw-r--r--web/lib/config.inc.proto5
2 files changed, 17 insertions, 0 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index df7c467..17e1967 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -26,6 +26,18 @@ if ($_COOKIE["AURSID"]):
$error = __("Error - No file uploaded");
}
+ # Check uncompressed file size (ZIP bomb protection)
+ if (!$error && $MAX_FILESIZE_UNCOMPRESSED) {
+ $fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
+ fseek($fh, -4, SEEK_END);
+ $filesize_uncompressed = end(unpack('V', fread($fh, 4)));
+ fclose($fh);
+
+ if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) {
+ $error = __("Error - uncompressed file size too large.");
+ }
+ }
+
$uid = uid_from_sid($_COOKIE['AURSID']);
if (!$error) {
diff --git a/web/lib/config.inc.proto b/web/lib/config.inc.proto
index bee6889..80a7e54 100644
--- a/web/lib/config.inc.proto
+++ b/web/lib/config.inc.proto
@@ -53,3 +53,8 @@ $LOGIN_TIMEOUT = 7200;
# Session timeout when using "Remember me" cookies
$PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30;
+
+# Uncompressed file size limit for submitted tarballs (ZIP bomb protection) -
+# please ensure "upload_max_filesize" is additionally set to no more than 3M,
+# otherwise this check might be easy to bypass (FS#22991 for details)
+$MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8;