[aur-dev] [PATCH] web/html/pkgsubmit.php: Revamp tarball validation

19 Mar 2012

* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.

The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:

    PaxHeader/xcursor-protozoa
    xcursor-protozoa/
    xcursor-protozoa/PaxHeader/PKGBUILD
    xcursor-protozoa/PKGBUILD

This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.

Addresses FS#28802.

Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
Dave told me to go ahead and fix this. Here we go!

 web/html/pkgsubmit.php |   26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 75a4b69..566890b 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -65,23 +65,25 @@ if ($uid):
 			$pkgbuild_raw = '';
 			$dircount = 0;
 			foreach ($tar->listContent() as $tar_file) {
-				if (preg_match('/^[^\/]+\/PKGBUILD$/', $tar_file['filename'])) {
-					$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+				if ($tar_file['typeflag'] == 0) {
+					if (strchr($tar_file['filename'], '/') === false) {
+						$error = __("Error - source tarball may not contain files outside a directory.");
+						break;
+					}
+					elseif (substr($tar_file['filename'], -9) == '/PKGBUILD') {
+						$pkgbuild_raw = $tar->extractInString($tar_file['filename']);
+					}
 				}
-				elseif (preg_match('/^[^\/]+\/$/', $tar_file['filename'])) {
-					if (++$dircount > 1) {
+				elseif ($tar_file['typeflag'] == 5) {
+					if (substr_count($tar_file['filename'], "/") > 1) {
+						$error = __("Error - source tarball may not contain nested subdirectories.");
+						break;
+					}
+					elseif (++$dircount > 1) {
 						$error = __("Error - source tarball may not contain more than one directory.");
 						break;
 					}
 				}
-				elseif (preg_match('/^[^\/]+$/', $tar_file['filename'])) {
-					$error = __("Error - source tarball may not contain files outside a directory.");
-					break;
-				}
-				elseif (preg_match('/^[^\/]+\/[^\/]+\//', $tar_file['filename'])) {
-					$error = __("Error - source tarball may not contain nested subdirectories.");
-					break;
-				}
 			}
 
 			if (!$error && empty($pkgbuild_raw)) {
-- 
1.7.9.4

    