gitweb: Consolidate escaping/validation of query string
Consider: http://repo.or.cz/?p=glibc-cvs.git;a=tree;h=2609cb0411389325f4ee2854cc7159756eb0671e;hb=2609cb0411389325f4ee2854cc7159756eb0671e (click on the funny =__ify file) We ought to handle anything in filenames and I actually see no reason why we don't, modulo very little missing escaping that this patch hopefully also fixes. I have also made esc_param() escape [?=&;]. Not escaping [&;] was downright buggy and [?=] just feels better escaped. ;-) YMMV. Signed-off-by: Petr Baudis <pasky@suse.cz> Signed-off-by: Junio C Hamano <junkio@cox.net>
This commit is contained in:
parent
8f41db8c37
commit
a2f3db2f5d
@ -212,19 +212,9 @@ if (defined $project) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# We have to handle those containing any characters:
|
||||||
our $file_name = $cgi->param('f');
|
our $file_name = $cgi->param('f');
|
||||||
if (defined $file_name) {
|
|
||||||
if (!validate_input($file_name)) {
|
|
||||||
die_error(undef, "Invalid file parameter");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
our $file_parent = $cgi->param('fp');
|
our $file_parent = $cgi->param('fp');
|
||||||
if (defined $file_parent) {
|
|
||||||
if (!validate_input($file_parent)) {
|
|
||||||
die_error(undef, "Invalid file parent parameter");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
our $hash = $cgi->param('h');
|
our $hash = $cgi->param('h');
|
||||||
if (defined $hash) {
|
if (defined $hash) {
|
||||||
@ -305,7 +295,7 @@ sub evaluate_path_info {
|
|||||||
$action ||= "blob_plain";
|
$action ||= "blob_plain";
|
||||||
}
|
}
|
||||||
$hash_base ||= validate_input($refname);
|
$hash_base ||= validate_input($refname);
|
||||||
$file_name ||= validate_input($pathname);
|
$file_name ||= $pathname;
|
||||||
} elsif (defined $refname) {
|
} elsif (defined $refname) {
|
||||||
# we got "project.git/branch"
|
# we got "project.git/branch"
|
||||||
$action ||= "shortlog";
|
$action ||= "shortlog";
|
||||||
@ -416,7 +406,7 @@ sub validate_input {
|
|||||||
# correct, but quoted slashes look too horrible in bookmarks
|
# correct, but quoted slashes look too horrible in bookmarks
|
||||||
sub esc_param {
|
sub esc_param {
|
||||||
my $str = shift;
|
my $str = shift;
|
||||||
$str =~ s/([^A-Za-z0-9\-_.~();\/;?:@&=])/sprintf("%%%02X", ord($1))/eg;
|
$str =~ s/([^A-Za-z0-9\-_.~()\/:@])/sprintf("%%%02X", ord($1))/eg;
|
||||||
$str =~ s/\+/%2B/g;
|
$str =~ s/\+/%2B/g;
|
||||||
$str =~ s/ /\+/g;
|
$str =~ s/ /\+/g;
|
||||||
return $str;
|
return $str;
|
||||||
@ -1282,7 +1272,7 @@ sub git_header_html {
|
|||||||
if (defined $action) {
|
if (defined $action) {
|
||||||
$title .= "/$action";
|
$title .= "/$action";
|
||||||
if (defined $file_name) {
|
if (defined $file_name) {
|
||||||
$title .= " - $file_name";
|
$title .= " - " . esc_html($file_name);
|
||||||
if ($action eq "tree" && $file_name !~ m|/$|) {
|
if ($action eq "tree" && $file_name !~ m|/$|) {
|
||||||
$title .= "/";
|
$title .= "/";
|
||||||
}
|
}
|
||||||
@ -2430,7 +2420,7 @@ sub git_blame2 {
|
|||||||
if ($ftype !~ "blob") {
|
if ($ftype !~ "blob") {
|
||||||
die_error("400 Bad Request", "Object is not a blob");
|
die_error("400 Bad Request", "Object is not a blob");
|
||||||
}
|
}
|
||||||
open ($fd, "-|", git_cmd(), "blame", '-l', $file_name, $hash_base)
|
open ($fd, "-|", git_cmd(), "blame", '-l', '--', $file_name, $hash_base)
|
||||||
or die_error(undef, "Open git-blame failed");
|
or die_error(undef, "Open git-blame failed");
|
||||||
git_header_html();
|
git_header_html();
|
||||||
my $formats_nav =
|
my $formats_nav =
|
||||||
@ -3072,12 +3062,12 @@ sub git_blobdiff {
|
|||||||
if (defined $file_name) {
|
if (defined $file_name) {
|
||||||
if (defined $file_parent) {
|
if (defined $file_parent) {
|
||||||
$diffinfo{'status'} = '2';
|
$diffinfo{'status'} = '2';
|
||||||
$diffinfo{'from_file'} = $file_parent;
|
$diffinfo{'from_file'} = esc_html($file_parent);
|
||||||
$diffinfo{'to_file'} = $file_name;
|
$diffinfo{'to_file'} = esc_html($file_name);
|
||||||
} else { # assume not renamed
|
} else { # assume not renamed
|
||||||
$diffinfo{'status'} = '1';
|
$diffinfo{'status'} = '1';
|
||||||
$diffinfo{'from_file'} = $file_name;
|
$diffinfo{'from_file'} = esc_html($file_name);
|
||||||
$diffinfo{'to_file'} = $file_name;
|
$diffinfo{'to_file'} = esc_html($file_name);
|
||||||
}
|
}
|
||||||
} else { # no filename given
|
} else { # no filename given
|
||||||
$diffinfo{'status'} = '2';
|
$diffinfo{'status'} = '2';
|
||||||
@ -3126,7 +3116,7 @@ sub git_blobdiff {
|
|||||||
-type => 'text/plain',
|
-type => 'text/plain',
|
||||||
-charset => 'utf-8',
|
-charset => 'utf-8',
|
||||||
-expires => $expires,
|
-expires => $expires,
|
||||||
-content_disposition => qq(inline; filename="${file_name}.patch"));
|
-content_disposition => qq(inline; filename=") . quotemeta($file_name) . qq(.patch"));
|
||||||
|
|
||||||
print "X-Git-Url: " . $cgi->self_url() . "\n\n";
|
print "X-Git-Url: " . $cgi->self_url() . "\n\n";
|
||||||
|
|
||||||
@ -3576,7 +3566,7 @@ XML
|
|||||||
if (!($line =~ m/^:([0-7]{6}) ([0-7]{6}) ([0-9a-fA-F]{40}) ([0-9a-fA-F]{40}) (.)([0-9]{0,3})\t(.*)$/)) {
|
if (!($line =~ m/^:([0-7]{6}) ([0-7]{6}) ([0-9a-fA-F]{40}) ([0-9a-fA-F]{40}) (.)([0-9]{0,3})\t(.*)$/)) {
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
my $file = validate_input(unquote($7));
|
my $file = esc_html(unquote($7));
|
||||||
$file = decode("utf8", $file, Encode::FB_DEFAULT);
|
$file = decode("utf8", $file, Encode::FB_DEFAULT);
|
||||||
print "$file<br/>\n";
|
print "$file<br/>\n";
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user