Protect users against ZIP bombs (fixes FS#22991).

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

web/html/pkgsubmit.php

@@ -26,6 +26,18 @@ if ($_COOKIE["AURSID"]):
 			$error = __("Error - No file uploaded");
 		}
 
+		# Check uncompressed file size (ZIP bomb protection)
+		if (!$error && $MAX_FILESIZE_UNCOMPRESSED) {
+			$fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
+			fseek($fh, -4, SEEK_END);
+			$filesize_uncompressed = end(unpack('V', fread($fh, 4)));
+			fclose($fh);
+
+			if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) {
+				$error = __("Error - uncompressed file size too large.");
+			}
+		}
+
 		$uid = uid_from_sid($_COOKIE['AURSID']);
 
 		if (!$error) {

web/lib/config.inc.proto

@@ -53,3 +53,8 @@ $LOGIN_TIMEOUT = 7200;
 
 # Session timeout when using "Remember me" cookies
 $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30;
+
+# Uncompressed file size limit for submitted tarballs (ZIP bomb protection) -
+# please ensure "upload_max_filesize" is additionally set to no more than 3M,
+# otherwise this check might be easy to bypass (FS#22991 for details)
+$MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8;