Commit 1f36664e authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

web/html/pkgsubmit.php: Revamp tarball validation



* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.

The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:

    PaxHeader/xcursor-protozoa
    xcursor-protozoa/
    xcursor-protozoa/PaxHeader/PKGBUILD
    xcursor-protozoa/PKGBUILD

This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.

Addresses FS#28802.

Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
parent 1e29bd22
......@@ -65,23 +65,25 @@ if ($uid):
$pkgbuild_raw = '';
$dircount = 0;
foreach ($tar->listContent() as $tar_file) {
if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
if ($tar_file['typeflag'] == 0) {
if (strchr($tar_file['filename'], '/') === false) {
$error = __("Error - source tarball may not contain files outside a directory.");
break;
}
elseif (substr($tar_file['filename'], -9) == '/PKGBUILD') {
$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
}
}
elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) {
if (++$dircount > 1) {
elseif ($tar_file['typeflag'] == 5) {
if (substr_count($tar_file['filename'], "/") > 1) {
$error = __("Error - source tarball may not contain nested subdirectories.");
break;
}
elseif (++$dircount > 1) {
$error = __("Error - source tarball may not contain more than one directory.");
break;
}
}
elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) {
$error = __("Error - source tarball may not contain files outside a directory.");
break;
}
elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) {
$error = __("Error - source tarball may not contain nested subdirectories.");
break;
}
}
if (!$error && empty($pkgbuild_raw)) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment