lib/dload: prevent large file attacks

This means creating a new struct which can pass more descriptive data
from the back end sync functions to the downloader. In particular, we're
interested in the download size read from the sync DB. When the remote
server reports a size larger than this (via a content-length header),
abort the transfer.

In cases where the size is unknown, we set a hard upper limit of:

* 25MiB for a sync DB
* 16KiB for a signature

For reference, 25MiB is more than twice the size of all of the current
binary repos (with files) combined, and 16KiB is a truly gargantuan
signature.

Signed-off-by: Dave Reisner <dreisner@archlinux.org>

1 files changed, 11 insertions, 2 deletions

diff --git a/lib/libalpm/dload.h b/lib/libalpm/dload.h
index 351b2b30..6a2dd392 100644
--- a/lib/libalpm/dload.h
+++ b/lib/libalpm/dload.h
@@ -33,8 +33,17 @@ struct fileinfo {
 	double initial_size;
 };
 
-int _alpm_download(alpm_handle_t *handle, const char *url, const char *localpath,
-		char **final_file, int force, int allow_resume, int errors_ok);
+struct dload_payload {
+	char *filename;
+	char *fileurl;
+	long max_size;
+};
+
+void _alpm_dload_payload_free(struct dload_payload *payload);
+
+int _alpm_download(alpm_handle_t *handle, struct dload_payload *payload,
+		const char *localpath, char **final_file, int force, int allow_resume,
+		int errors_ok);
 
 #endif /* _ALPM_DLOAD_H */