From 1f36664e9f55b175472436973a238aa36bd58bb2 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Mon, 19 Mar 2012 23:18:48 +0100
Subject: web/html/pkgsubmit.php: Revamp tarball validation

* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.

The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:

    PaxHeader/xcursor-protozoa
    xcursor-protozoa/
    xcursor-protozoa/PaxHeader/PKGBUILD
    xcursor-protozoa/PKGBUILD

This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.

Addresses FS#28802.

Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/pkgsubmit.php | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

(limited to 'web/html/pkgsubmit.php')

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 75a4b697..566890b9 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -65,23 +65,25 @@ if ($uid):
 			$pkgbuild_raw = '';
 			$dircount = 0;
 			foreach ($tar->listContent() as $tar_file) {
-				if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
-					$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+				if ($tar_file['typeflag'] == 0) {
+					if (strchr($tar_file['filename'], '/') === false) {
+						$error = __("Error - source tarball may not contain files outside a directory.");
+						break;
+					}
+					elseif (substr($tar_file['filename'], -9) == '/PKGBUILD') {
+						$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+					}
 				}
-				elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) {
-					if (++$dircount > 1) {
+				elseif ($tar_file['typeflag'] == 5) {
+					if (substr_count($tar_file['filename'], "/") > 1) {
+						$error = __("Error - source tarball may not contain nested subdirectories.");
+						break;
+					}
+					elseif (++$dircount > 1) {
 						$error = __("Error - source tarball may not contain more than one directory.");
 						break;
 					}
 				}
-				elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) {
-					$error = __("Error - source tarball may not contain files outside a directory.");
-					break;
-				}
-				elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) {
-					$error = __("Error - source tarball may not contain nested subdirectories.");
-					break;
-				}
 			}
 
 			if (!$error && empty($pkgbuild_raw)) {
-- 
cgit v1.2.3-24-g4f1b