external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Protect users against ZIP bombs (fixes FS#22991).

Browse source 
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Lukas Fleischer 2011-02-22 19:46:51 +01:00
parent f961ffd9c7
commit 09d8128f99
2 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
web/html/pkgsubmit.php
View file

@ -26,6 +26,18 @@ if ($_COOKIE["AURSID"]):
$error = __("Error - No file uploaded"); $error = __("Error - No file uploaded");
} }
# Check uncompressed file size (ZIP bomb protection)
if (!$error && $MAX_FILESIZE_UNCOMPRESSED) {
$fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
fseek($fh, -4, SEEK_END);
$filesize_uncompressed = end(unpack('V', fread($fh, 4)));
fclose($fh);
if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) {
$error = __("Error - uncompressed file size too large.");
}
}
$uid = uid_from_sid($_COOKIE['AURSID']); $uid = uid_from_sid($_COOKIE['AURSID']);
if (!$error) { if (!$error) {

5
web/lib/config.inc.proto
View file

@ -53,3 +53,8 @@ $LOGIN_TIMEOUT = 7200;
# Session timeout when using "Remember me" cookies # Session timeout when using "Remember me" cookies
$PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30; $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30;
# Uncompressed file size limit for submitted tarballs (ZIP bomb protection) -
# please ensure "upload_max_filesize" is additionally set to no more than 3M,
# otherwise this check might be easy to bypass (FS#22991 for details)
$MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8;