Reject uploads on case insensitive filename matches. (#2114)

isoos · web-flow · commit 5121ff141dbb · 2019-03-10T22:30:44.000+01:00
diff --git a/app/lib/frontend/backend.dart b/app/lib/frontend/backend.dart
@@ -860,6 +860,19 @@ Future<_ValidatedUpload> _parseAndValidateUpload(
 
   final files = await listTarball(filename);
 
+  // Check whether the files can be extracted on case-preserving file systems
+  // (e.g. on Windows). We can't allow two files with the same case-insensitive
+  // name.
+  final lowerCaseFiles = <String>{};
+  for (String file in files) {
+    final lower = file.toLowerCase();
+    if (lowerCaseFiles.contains(lower)) {
+      throw GenericProcessingException(
+          'Filename collision on case-preserving file systems: $file.');
+    }
+    lowerCaseFiles.add(lower);
+  }
+
   // Searches in [files] for a file name [name] and compare in a
   // case-insensitive manner.
   //
diff --git a/app/lib/shared/utils.dart b/app/lib/shared/utils.dart
@@ -51,8 +51,7 @@ Future<T> withTempDirectory<T>(Future<T> func(Directory dir),
 }
 
 Future<List<String>> listTarball(String path) async {
-  // List files up-to 4 directory levels:
-  final args = ['--exclude=*/*/*/*/*', '-tzf', path];
+  final args = ['-tzf', path];
   final result = await Process.run('tar', args);
   if (result.exitCode != 0) {
     _logger.warning('The "tar $args" command failed:\n'

Original file line number	Diff line number	Diff line change
`@@ -51,8 +51,7 @@ Future<T> withTempDirectory<T>(Future<T> func(Directory dir),`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`Future<List<String>> listTarball(String path) async {`
`54`		`- // List files up-to 4 directory levels:`
`55`		`- final args = ['--exclude=////*', '-tzf', path];`
	`54`	`+ final args = ['-tzf', path];`
`56`	`55`	`final result = await Process.run('tar', args);`
`57`	`56`	`if (result.exitCode != 0) {`
`58`	`57`	`_logger.warning('The "tar $args" command failed:\n'`