danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Protect from zip-bombs

Browse Source
This commit is contained in:
Daniel Winzen
2017-08-07 21:15:13 +02:00
parent 06dce903dc
commit 6c6b6a689d
1 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
var/www/html/files.php
View File

@ -15,7 +15,7 @@ if(empty($_SESSION['ftp_pass'])){
exit;
}
$ftp=ftp_connect('127.0.0.1') or die ('No Connection to FTP server!');
if(!ftp_login($ftp, "$user[onion].onion", $_SESSION['ftp_pass'])){
if(@!ftp_login($ftp, "$user[onion].onion", $_SESSION['ftp_pass'])){
send_login();
exit;
}
@ -152,13 +152,22 @@ if(!empty($_POST['unzip']) && !empty($_POST['files'])){
}
$tmpfile='/tmp/'.uniqid().'.zip';
ftp_get($ftp, $tmpfile, $file, FTP_BINARY);
$zip->open($tmpfile);
$tmpdir='/tmp/'.uniqid().'/';
mkdir($tmpdir);
$zip->extractTo($tmpdir);
ftp_recursive_upload($ftp, $tmpdir);
rmdir($tmpdir);
$zip->close();
//prevent zip-bombs
$size=0;
$resource=zip_open($tmpfile);
while($dir_resource=zip_read($resource)) {
$size+=zip_entry_filesize($dir_resource);
}
zip_close($resource);
if($size<=1073741824){ //1GB limit
$zip->open($tmpfile);
$tmpdir='/tmp/'.uniqid().'/';
mkdir($tmpdir);
$zip->extractTo($tmpdir);
ftp_recursive_upload($ftp, $tmpdir);
rmdir($tmpdir);
$zip->close();
}
unlink($tmpfile);
}
}