[aur-dev] [PATCH 08/13] Do not allow for overwriting arbitrary packages

Sat Apr 5 07:59:48 EDT 2014

A package should only be overwritten if it already belongs to the
package base that is trying to overwrite it.

Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
 web/html/pkgsubmit.php | 44 +++++++++++++++++++++++---------------------
 web/lib/aur.inc.php    | 19 +++++++++++++++++++
 2 files changed, 42 insertions(+), 21 deletions(-)

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 13a67d8..cf5e03b 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -410,33 +410,35 @@ if ($uid):
 		}
 
 		/* Upload PKGBUILD and tarball. */
-		if (!$error) {
-			/*
-			 * First, check whether this package already exists and
-			 * whether it can be overwritten.
-			 */
-			if (can_submit_pkgbase($pkgbase_name, $_COOKIE["AURSID"])) {
-				if (file_exists($incoming_pkgdir)) {
-					/*
-					 * Blow away the existing directory and
-					 * its contents.
-					 */
-					rm_tree($incoming_pkgdir);
-				}
+		if (!$error && !can_submit_pkgbase($pkgbase_name, $_COOKIE["AURSID"])) {
+			$error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pkgbase_name, "</strong>");
+		}
 
-				/*
-				 * The mode is masked by the current umask, so
-				 * not as scary as it looks.
-				 */
-				if (!mkdir($incoming_pkgdir, 0777, true)) {
-					$error = __( "Could not create directory %s.", $incoming_pkgdir);
+		if (!$error) {
+			foreach ($pkginfo as $pi) {
+				if (!can_submit_pkg($pi['pkgname'], $base_id)) {
+					$error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pi['pkgname'], "</strong>");
+					break;
 				}
-			} else {
-				$error = __( "You are not allowed to overwrite the %s%s%s package.", "<strong>", $pkg_name, "</strong>");
 			}
 		}
 
 		if (!$error) {
+			/*
+			 * Blow away the existing directory and its contents.
+			 */
+			if (file_exists($incoming_pkgdir)) {
+				rm_tree($incoming_pkgdir);
+			}
+
+			/*
+			 * The mode is masked by the current umask, so not as
+			 * scary as it looks.
+			 */
+			if (!mkdir($incoming_pkgdir, 0777, true)) {
+				$error = __( "Could not create directory %s.", $incoming_pkgdir);
+			}
+
 			if (!chdir($incoming_pkgdir)) {
 				$error = __("Could not change directory to %s.", $incoming_pkgdir);
 			}
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index e786e50..16aa261 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -313,6 +313,25 @@ function can_submit_pkgbase($name="", $sid="") {
 }
 
 /**
+ * Determine if a package can be overwritten by some package base
+ *
+ * @param string $name Name of the package to be submitted
+ * @param int $base_id The ID of the package base
+ *
+ * @return bool True if the package can be overwritten, false if not
+ */
+function can_submit_pkg($name, $base_id) {
+	$dbh = DB::connect();
+	$q = "SELECT COUNT(*) FROM Packages WHERE ";
+	$q.= "Name = " . $dbh->quote($name) . " AND ";
+	$q.= "PackageBaseID <> " . intval($base_id);
+	$result = $dbh->query($q);
+
+	if (!$result) return false;
+	return ($result->fetchColumn() == 0);
+}
+
+/**
  * Recursively delete a directory
  *
  * @param string $dirname Name of the directory to be removed
-- 
1.9.1

