diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-03-30 11:44:05 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-03-30 11:55:32 +0200 |
commit | 47faf88f14bd420163e29e3cd583e741e63ce929 (patch) | |
tree | 7ff3d3476943d89038bcbc87d33f4b586da9fd87 /web | |
parent | 2eb45e7d9ed0c538ff920b3e5243dfd83bc07826 (diff) | |
download | aur-47faf88f14bd420163e29e3cd583e741e63ce929.tar.gz aur-47faf88f14bd420163e29e3cd583e741e63ce929.tar.xz |
Check if submitted files are in GZIP format.
This is quite hacky but this way we can ensure users get comprehensible
error messages when trying to upload ".tar.xz" or ".tar.bz2" files.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
-rw-r--r-- | web/html/pkgsubmit.php | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index edffbfa1..72ada9d2 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -26,18 +26,32 @@ if ($_COOKIE["AURSID"]): $error = __("Error - No file uploaded"); } + # Check whether the file is gzip'ed + if (!$error) { + $fh = fopen($_FILES['pfile']['tmp_name'], 'rb'); + fseek($fh, 0, SEEK_SET); + $magic = end(unpack('v', fread($fh, 2))); + + if ($magic != 0x8b1f) { + $error = __("Error - unsupported file format (please submit gzip'ed tarballs generated by makepkg(8) only)."); + } + } + # Check uncompressed file size (ZIP bomb protection) if (!$error && $MAX_FILESIZE_UNCOMPRESSED) { - $fh = fopen($_FILES['pfile']['tmp_name'], 'rb'); fseek($fh, -4, SEEK_END); $filesize_uncompressed = end(unpack('V', fread($fh, 4))); - fclose($fh); if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) { $error = __("Error - uncompressed file size too large."); } } + # Close file handle before extracting stuff + if (is_resource($fh)) { + fclose($fh); + } + $uid = uid_from_sid($_COOKIE['AURSID']); if (!$error) { |