Commit ec0dfc27 authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Removed code for tarball extraction.



Automatic tarball extraction was vulnerable in different ways. Users
should also only use source tarballs to build packages, so this has been
removed completely. From now on, only the PKGBUILD is extracted in a
secure manner.

Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
parent 233f67b8
...@@ -3,9 +3,32 @@ Upgrading ...@@ -3,9 +3,32 @@ Upgrading
From 1.7.0 to 1.8.0 From 1.7.0 to 1.8.0
------------------- -------------------
1. Run the following MySQL statements:
----
ALTER TABLE Packages ADD OutOfDateTS BIGINT UNSIGNED NULL DEFAULT NULL; ALTER TABLE Packages ADD OutOfDateTS BIGINT UNSIGNED NULL DEFAULT NULL;
UPDATE Packages SET OutOfDateTS = UNIX_TIMESTAMP() WHERE OutOfDate = 1; UPDATE Packages SET OutOfDateTS = UNIX_TIMESTAMP() WHERE OutOfDate = 1;
ALTER TABLE Packages DROP OutOfDate; ALTER TABLE Packages DROP OutOfDate;
----
2. You will need to update all packages which are stored in the incoming dir as
in 1.8.0, source tarballs are no longer extracted automatically and PKGBUILDs
are from now on located in the same subdirectories as the tarballs themselves.
The following script will do the conversion automatically when being run inside
"$INCOMING_DIR":
----
#!/bin/bash
for pkg in *; do
if [ -d "${pkg}" -a ! -f "${pkg}/PKGBUILD" ]; then
pkgbuild_file=$(find -P "${pkg}" -name PKGBUILD)
[ -n "${pkgbuild_file}" ] && \
cp "${pkgbuild_file}" "${pkg}/PKGBUILD"
fi
done
----
From 1.6.0 to 1.7.0 From 1.6.0 to 1.7.0
------------------- -------------------
......
...@@ -28,34 +28,19 @@ if ($_COOKIE["AURSID"]): ...@@ -28,34 +28,19 @@ if ($_COOKIE["AURSID"]):
$uid = uid_from_sid($_COOKIE['AURSID']); $uid = uid_from_sid($_COOKIE['AURSID']);
# Temporary dir to put the tarball contents
$tempdir = UPLOAD_DIR . $uid . time();
if (!$error) { if (!$error) {
if (!@mkdir($tempdir)) { $tar = new Archive_Tar($_FILES['pfile']['tmp_name']);
$error = __("Could not create incoming directory: %s.", $tempdir);
} else {
if (!@chdir($tempdir)) {
$error = __("Could not change directory to %s.", $tempdir);
} else {
$tar = new Archive_Tar($_FILES['pfile']['tmp_name']);
$extract = $tar->extract();
if (!$extract) { # Extract PKGBUILD into a string
$error = __("Unknown file format for uploaded file."); $pkgbuild_raw = '';
} foreach ($tar->listContent() as $tar_file) {
if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
break;
} }
} }
}
# Find the PKGBUILD
if (!$error) {
$pkgbuild = File_Find::search('PKGBUILD', $tempdir);
if (count($pkgbuild)) { if (empty($pkgbuild_raw)) {
$pkgbuild = $pkgbuild[0];
$pkg_dir = dirname($pkgbuild);
} else {
$error = __("Error trying to unpack upload - PKGBUILD does not exist."); $error = __("Error trying to unpack upload - PKGBUILD does not exist.");
} }
} }
...@@ -67,14 +52,13 @@ if ($_COOKIE["AURSID"]): ...@@ -67,14 +52,13 @@ if ($_COOKIE["AURSID"]):
# process PKGBUILD - remove line concatenation # process PKGBUILD - remove line concatenation
# #
$pkgbuild = array(); $pkgbuild = array();
$fp = fopen($pkg_dir."/PKGBUILD", "r");
$line_no = 0; $line_no = 0;
$lines = array(); $lines = array();
$continuation_line = 0; $continuation_line = 0;
$current_line = ""; $current_line = "";
$paren_depth = 0; $paren_depth = 0;
while (!feof($fp)) { foreach (split("\n", $pkgbuild_raw) as $line) {
$line = trim(fgets($fp)); $line = trim($line);
# Remove comments # Remove comments
$line = preg_replace('/\s*#.*/', '', $line); $line = preg_replace('/\s*#.*/', '', $line);
...@@ -109,7 +93,6 @@ if ($_COOKIE["AURSID"]): ...@@ -109,7 +93,6 @@ if ($_COOKIE["AURSID"]):
$line_no++; $line_no++;
} }
} }
fclose($fp);
# Now process the lines and put any var=val lines into the # Now process the lines and put any var=val lines into the
# 'pkgbuild' array. # 'pkgbuild' array.
...@@ -239,37 +222,18 @@ if ($_COOKIE["AURSID"]): ...@@ -239,37 +222,18 @@ if ($_COOKIE["AURSID"]):
if (!@mkdir($incoming_pkgdir)) { if (!@mkdir($incoming_pkgdir)) {
$error = __( "Could not create directory %s.", $incoming_pkgdir); $error = __( "Could not create directory %s.", $incoming_pkgdir);
} }
rename($pkg_dir, $incoming_pkgdir . "/" . $pkg_name);
} else { } else {
$error = __( "You are not allowed to overwrite the %h%s%h package.", "<b>", $pkg_name, "</b>"); $error = __( "You are not allowed to overwrite the %h%s%h package.", "<b>", $pkg_name, "</b>");
} }
} }
# Re-tar the package for consistency's sake
if (!$error) { if (!$error) {
if (!@chdir($incoming_pkgdir)) { if (!@chdir($incoming_pkgdir)) {
$error = __("Could not change directory to %s.", $incoming_pkgdir); $error = __("Could not change directory to %s.", $incoming_pkgdir);
} }
}
if (!$error) {
$tar = new Archive_Tar($pkg_name . '.tar.gz');
$create = $tar->create(array($pkg_name));
if (!$create) {
$error = __("Could not re-tar");
}
}
# Chmod files after everything has been done.
if (!$error && !chmod_group($incoming_pkgdir)) {
$error = __("Could not chmod directory %s.", $incoming_pkgdir);
}
# Whether it failed or not we can clean this out file_put_contents('PKGBUILD', $pkgbuild_raw);
if (file_exists($tempdir)) { rename($_FILES['pfile']['tmp_name'], $pkg_name . '.tar.gz');
rm_rf($tempdir);
} }
# Update the backend database # Update the backend database
......
...@@ -77,8 +77,9 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[ ...@@ -77,8 +77,9 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[
<p><span class='f3'> <p><span class='f3'>
<?php <?php
if ($row['LocationID'] == 2) { if ($row['LocationID'] == 2) {
$urlpath = URL_DIR . $row['Name'] . '/' . $row['Name']; $urlpath = URL_DIR . $row['Name'];
print "<a href='$urlpath.tar.gz'>".__("Tarball")."</a> :: <a href='$urlpath'>".__("Files")."</a> :: <a href='$urlpath/PKGBUILD'>PKGBUILD</a></span>"; print "<a href='$urlpath/" . $row['Name'] . ".tar.gz'>".__("Tarball")."</a> :: ";
print "<a href='$urlpath/PKGBUILD'>".__("PKGBUILD")."</a></span>";
} }
if ($row["OutOfDateTS"] !== NULL) { if ($row["OutOfDateTS"] !== NULL) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment