[aur-dev] [PATCH] web/html/pkgsubmit.php: Revamp tarball validation

[Lukas Fleischer]

* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.

The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:

    PaxHeader/xcursor-protozoa
    xcursor-protozoa/
    xcursor-protozoa/PaxHeader/PKGBUILD
    xcursor-protozoa/PKGBUILD

This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.

Addresses FS#28802.

Thanks-to: Dave Reisner <dreis...@archlinux.org>
Signed-off-by: Lukas Fleischer <archli...@cryptocrack.de>
---
Dave told me to go ahead and fix this. Here we go!

 web/html/pkgsubmit.php |   26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 75a4b69..566890b 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -65,23 +65,25 @@ if ($uid):
                        $pkgbuild_raw = '';
                        $dircount = 0;
                        foreach ($tar->listContent() as $tar_file) {
-                               if (preg_match('/^[^\/]+\/PKGBUILD$/', 
$tar_file['filename'])) {
-                                       $pkgbuild_raw = 
$tar->extractInString($tar_file['filename']);
+                               if ($tar_file['typeflag'] == 0) {
+                                       if (strchr($tar_file['filename'], '/') 
=== false) {
+                                               $error = __("Error - source 
tarball may not contain files outside a directory.");
+                                               break;
+                                       }
+                                       elseif (substr($tar_file['filename'], 
-9) == '/PKGBUILD') {
+                                               $pkgbuild_raw = 
$tar->extractInString($tar_file['filename']);
+                                       }
                                }
-                               elseif (preg_match('/^[^\/]+\/$/', 
$tar_file['filename'])) {
-                                       if (++$dircount > 1) {
+                               elseif ($tar_file['typeflag'] == 5) {
+                                       if (substr_count($tar_file['filename'], 
"/") > 1) {
+                                               $error = __("Error - source 
tarball may not contain nested subdirectories.");
+                                               break;
+                                       }
+                                       elseif (++$dircount > 1) {
                                                $error = __("Error - source 
tarball may not contain more than one directory.");
                                                break;
                                        }
                                }
-                               elseif (preg_match('/^[^\/]+$/', 
$tar_file['filename'])) {
-                                       $error = __("Error - source tarball may 
not contain files outside a directory.");
-                                       break;
-                               }
-                               elseif (preg_match('/^[^\/]+\/[^\/]+\//', 
$tar_file['filename'])) {
-                                       $error = __("Error - source tarball may 
not contain nested subdirectories.");
-                                       break;
-                               }
                        }
 
                        if (!$error && empty($pkgbuild_raw)) {
-- 
1.7.9.4