external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 09:43:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Check if submitted files are in GZIP format.

Browse source 
This is quite hacky but this way we can ensure users get comprehensible
error messages when trying to upload ".tar.xz" or ".tar.bz2" files.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Lukas Fleischer 2011-03-30 11:44:05 +02:00
parent 2eb45e7d9e
commit 47faf88f14
1 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

18
web/html/pkgsubmit.php
View file

@ -26,18 +26,32 @@ if ($_COOKIE["AURSID"]):
$error = __("Error - No file uploaded"); $error = __("Error - No file uploaded");
} }
# Check whether the file is gzip'ed
if (!$error) {
$fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
fseek($fh, 0, SEEK_SET);
$magic = end(unpack('v', fread($fh, 2)));
if ($magic != 0x8b1f) {
$error = __("Error - unsupported file format (please submit gzip'ed tarballs generated by makepkg(8) only).");
}
}
# Check uncompressed file size (ZIP bomb protection) # Check uncompressed file size (ZIP bomb protection)
if (!$error && $MAX_FILESIZE_UNCOMPRESSED) { if (!$error && $MAX_FILESIZE_UNCOMPRESSED) {
$fh = fopen($_FILES['pfile']['tmp_name'], 'rb');
fseek($fh, -4, SEEK_END); fseek($fh, -4, SEEK_END);
$filesize_uncompressed = end(unpack('V', fread($fh, 4))); $filesize_uncompressed = end(unpack('V', fread($fh, 4)));
fclose($fh);
if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) { if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) {
$error = __("Error - uncompressed file size too large."); $error = __("Error - uncompressed file size too large.");
} }
} }
# Close file handle before extracting stuff
if (is_resource($fh)) {
fclose($fh);
}
$uid = uid_from_sid($_COOKIE['AURSID']); $uid = uid_from_sid($_COOKIE['AURSID']);
if (!$error) { if (!$error) {