>From 1e044802f9c63a53020f1747f25f553fa1bf520d Mon Sep 17 00:00:00 2001 From: Loui Chang Date: Sun, 9 Nov 2008 22:35:00 -0500 Subject: [PATCH] Give group writable permissions to uploaded files. Add a new function chown_group to recursively change permissions. Tweak some of the coding style. Replace some of the redundant string concatenation with a variable. Thanks to Dan McGee for chown_group. Signed-off-by: Loui Chang --- web/html/pkgsubmit.php | 36 +++++++++++++++++++----------------- web/lib/aur.inc | 28 ++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 17 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index c38e224..4446648 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -30,12 +30,10 @@ if ($_COOKIE["AURSID"]): if (!$error) { if (!@mkdir($tempdir)) { - $error = __("Could not create incoming directory: %s.", - array($tempdir)); + $error = __("Could not create incoming directory: %s.", $tempdir); } else { if (!@chdir($tempdir)) { - $error = __("Could not change directory to %s.", - array($tempdir)); + $error = __("Could not change directory to %s.", $tempdir); } else { if ($_FILES['pfile']['name'] == "PKGBUILD") { move_uploaded_file($_FILES['pfile']['tmp_name'], $tempdir . "/PKGBUILD"); @@ -205,32 +203,31 @@ if ($_COOKIE["AURSID"]): } } + $incoming_pkgdir = INCOMING_DIR . $pkg_name; + if (!$error) { # First, see if this package already exists, and if it can be overwritten $pkg_exists = package_exists($pkg_name); if (can_submit_pkg($pkg_name, $_COOKIE["AURSID"])) { - if (file_exists(INCOMING_DIR . $pkg_name)) { + if (file_exists($incoming_pkgdir)) { # Blow away the existing file/dir and contents - rm_rf(INCOMING_DIR . $pkg_name); + rm_rf($incoming_pkgdir); } - if (!@mkdir(INCOMING_DIR . $pkg_name)) { - $error = __( "Could not create directory %s.", - INCOMING_DIR . $pkg_name); + if (!@mkdir($incoming_pkgdir)) { + $error = __( "Could not create directory %s.", $incoming_pkgdir); } - rename($pkg_dir, INCOMING_DIR . $pkg_name . "/" . $pkg_name); + rename($pkg_dir, $incoming_pkgdir . "/" . $pkg_name); } else { - $error = __( "You are not allowed to overwrite the %h%s%h package.", - "", $pkg_name, ""); + $error = __( "You are not allowed to overwrite the %h%s%h package.", "", $pkg_name, ""); } } # Re-tar the package for consistency's sake if (!$error) { - if (!@chdir(INCOMING_DIR . $pkg_name)) { - $error = __("Could not change directory to %s.", - array(INCOMING_DIR . $pkg_name)); + if (!@chdir($incoming_pkgdir)) { + $error = __("Could not change directory to %s.", $incoming_pkgdir); } } @@ -243,6 +240,11 @@ if ($_COOKIE["AURSID"]): } } + # Chmod files after everything has been done. + if (!chmod_group($incoming_pkgdir)) { + $error = __("Could not chmod directory %s.", $incoming_pkgdir); + } + # Whether it failed or not we can clean this out if (file_exists($tempdir)) { rm_rf($tempdir); @@ -296,7 +298,7 @@ if ($_COOKIE["AURSID"]): mysql_real_escape_string($new_pkgbuild['license']), mysql_real_escape_string($new_pkgbuild['pkgdesc']), mysql_real_escape_string($new_pkgbuild['url']), - mysql_real_escape_string(INCOMING_DIR . $pkg_name . "/" . $pkg_name . ".tar.gz"), + mysql_real_escape_string($incoming_pkgdir . "/" . $pkg_name . ".tar.gz"), mysql_real_escape_string(URL_DIR . $pkg_name . "/" . $pkg_name . ".tar.gz"), $pdata["ID"]); @@ -342,7 +344,7 @@ if ($_COOKIE["AURSID"]): mysql_real_escape_string($new_pkgbuild['url']), uid_from_sid($_COOKIE["AURSID"]), uid_from_sid($_COOKIE["AURSID"]), - mysql_real_escape_string(INCOMING_DIR . $pkg_name . "/" . $pkg_name . ".tar.gz"), + mysql_real_escape_string($incoming_pkgdir . "/" . $pkg_name . ".tar.gz"), mysql_real_escape_string(URL_DIR . $pkg_name . "/" . $pkg_name . ".tar.gz")); $result = db_query($q, $dbh); diff --git a/web/lib/aur.inc b/web/lib/aur.inc index a126bb9..690505a 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -381,6 +381,34 @@ function rm_rf($dirname="") { return; } +# recursive chmod to set group write permissions +# +function chmod_group($path) { + if (!is_dir($path)) + return chmod($path, 0664); + + $d = dir($path); + while ($f = $d->read()) { + if ($f != '.' && $f != '..') { + $fullpath = $path.'/'.$f; + if (is_link($fullpath)) + continue; + elseif (!is_dir($fullpath)) { + if (!chmod($fullpath, 0664)) + return FALSE; + } + elseif(!chmod_group($fullpath)) + return FALSE; + } + } + $d->close(); + + if(chmod($path, 0775)) + return TRUE; + else + return FALSE; +} + # obtain the uid given a Users.Username # function uid_from_username($username="") -- 1.6.0.3