Be more restrictive with source tarball contents.

Reject tarballs containing more than one directory or files outside a directory. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
author: Lukas Fleischer <archlinux@cryptocrack.de> 2011-03-30 20:26:13 +0200
committer: Lukas Fleischer <archlinux@cryptocrack.de> 2011-03-30 20:49:21 +0200
commit: a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a (patch)
tree: eb06b4e2ba2aadba72bcd1fc362816f4108d2491 /web/html/pkgsubmit.php
parent: 0a625ae8ff737f471ee4e29853ba57db20352b1a (diff)
download: aur-a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a.tar.gz
aur-a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a.tar.xz
1 files changed, 13 insertions, 2 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 954f1ce1..05cc8666 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -59,17 +59,28 @@ if ($_COOKIE["AURSID"]):
 
 			# Extract PKGBUILD into a string
 			$pkgbuild_raw = '';
+			$dircount = 0;
 			foreach ($tar->listContent() as $tar_file) {
 				if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
 					$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+				}
+				elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) {
+					if (++$dircount > 1) {
+						$error = __("Error - source tarball may not contain more than one directory.");
+						break;
+					}
+				}
+				elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) {
+					$error = __("Error - source tarball may not contain files outside a directory.");
 					break;
 				}
 				elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) {
-					$error = __("Error - source tarball may not contain subdirectories.");
+					$error = __("Error - source tarball may not contain nested subdirectories.");
+					break;
 				}
 			}
 
-			if (empty($pkgbuild_raw)) {
+			if (!$error && empty($pkgbuild_raw)) {
 				$error = __("Error trying to unpack upload - PKGBUILD does not exist.");
 			}
 		}
author	Lukas Fleischer <archlinux@cryptocrack.de>	2011-03-30 20:26:13 +0200
committer	Lukas Fleischer <archlinux@cryptocrack.de>	2011-03-30 20:49:21 +0200
commit	a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a (patch)
tree	eb06b4e2ba2aadba72bcd1fc362816f4108d2491 /web/html/pkgsubmit.php
parent	0a625ae8ff737f471ee4e29853ba57db20352b1a (diff)
download	aur-a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a.tar.gz aur-a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a.tar.xz