external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

web/html/pkgsubmit.php: Revamp tarball validation

Browse source 
* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.

The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:

    PaxHeader/xcursor-protozoa
    xcursor-protozoa/
    xcursor-protozoa/PaxHeader/PKGBUILD
    xcursor-protozoa/PKGBUILD

This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.

Addresses FS#28802.

Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Lukas Fleischer 2012-03-19 23:18:48 +01:00
parent 1e29bd2217
commit 1f36664e9f
1 changed files with 14 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
web/html/pkgsubmit.php
View file

@ -65,23 +65,25 @@ if ($uid):
$pkgbuild_raw = '';
$dircount = 0;
foreach ($tar->listContent() as $tar_file) {
if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
if ($tar_file['typeflag'] == 0) {
if (strchr($tar_file['filename'], '/') === false) {
$error = __("Error - source tarball may not contain files outside a directory.");
break;
}
elseif (substr($tar_file['filename'], -9) == '/PKGBUILD') {
$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
}
}
elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) {
if (++$dircount > 1) {
elseif ($tar_file['typeflag'] == 5) {
if (substr_count($tar_file['filename'], "/") > 1) {
$error = __("Error - source tarball may not contain nested subdirectories.");
break;
}
elseif (++$dircount > 1) {
$error = __("Error - source tarball may not contain more than one directory.");
break;
}
}
elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) {
$error = __("Error - source tarball may not contain files outside a directory.");
break;
}
elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) {
$error = __("Error - source tarball may not contain nested subdirectories.");
break;
}
}
if (!$error && empty($pkgbuild_raw)) {