From a427bd72a7e3d2c74fbe66317c88e44df4b7bc3a Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Wed, 30 Mar 2011 20:26:13 +0200
Subject: Be more restrictive with source tarball contents.

Reject tarballs containing more than one directory or files outside a
directory.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/pkgsubmit.php | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'web/html/pkgsubmit.php')

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 954f1ce1..05cc8666 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -59,17 +59,28 @@ if ($_COOKIE["AURSID"]):
 
 			# Extract PKGBUILD into a string
 			$pkgbuild_raw = '';
+			$dircount = 0;
 			foreach ($tar->listContent() as $tar_file) {
 				if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
 					$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+				}
+				elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) {
+					if (++$dircount > 1) {
+						$error = __("Error - source tarball may not contain more than one directory.");
+						break;
+					}
+				}
+				elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) {
+					$error = __("Error - source tarball may not contain files outside a directory.");
 					break;
 				}
 				elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) {
-					$error = __("Error - source tarball may not contain subdirectories.");
+					$error = __("Error - source tarball may not contain nested subdirectories.");
+					break;
 				}
 			}
 
-			if (empty($pkgbuild_raw)) {
+			if (!$error && empty($pkgbuild_raw)) {
 				$error = __("Error trying to unpack upload - PKGBUILD does not exist.");
 			}
 		}
-- 
cgit v1.2.3-24-g4f1b