From 09d8128f99c2edc27dd81efc63e9b3c797603ca1 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Tue, 22 Feb 2011 19:46:51 +0100 Subject: Protect users against ZIP bombs (fixes FS#22991). Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 12 ++++++++++++ web/lib/config.inc.proto | 5 +++++ 2 files changed, 17 insertions(+) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index df7c4671..17e1967a 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -26,6 +26,18 @@ if ($_COOKIE["AURSID"]): $error = __("Error - No file uploaded"); } + # Check uncompressed file size (ZIP bomb protection) + if (!$error && $MAX_FILESIZE_UNCOMPRESSED) { + $fh = fopen($_FILES['pfile']['tmp_name'], 'rb'); + fseek($fh, -4, SEEK_END); + $filesize_uncompressed = end(unpack('V', fread($fh, 4))); + fclose($fh); + + if ($filesize_uncompressed > $MAX_FILESIZE_UNCOMPRESSED) { + $error = __("Error - uncompressed file size too large."); + } + } + $uid = uid_from_sid($_COOKIE['AURSID']); if (!$error) { diff --git a/web/lib/config.inc.proto b/web/lib/config.inc.proto index bee68891..80a7e540 100644 --- a/web/lib/config.inc.proto +++ b/web/lib/config.inc.proto @@ -53,3 +53,8 @@ $LOGIN_TIMEOUT = 7200; # Session timeout when using "Remember me" cookies $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30; + +# Uncompressed file size limit for submitted tarballs (ZIP bomb protection) - +# please ensure "upload_max_filesize" is additionally set to no more than 3M, +# otherwise this check might be easy to bypass (FS#22991 for details) +$MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8; -- cgit v1.2.3-24-g4f1b