gitweb: Consolidate escaping/validation of query string
Consider: http://repo.or.cz/?p=glibc-cvs.git;a=tree;h=2609cb0411389325f4ee2854cc7159756eb0671e;hb=2609cb0411389325f4ee2854cc7159756eb0671e (click on the funny =__ify file) We ought to handle anything in filenames and I actually see no reason why we don't, modulo very little missing escaping that this patch hopefully also fixes. I have also made esc_param() escape [?=&;]. Not escaping [&;] was downright buggy and [?=] just feels better escaped. ;-) YMMV. Signed-off-by: Petr Baudis <pasky@suse.cz> Signed-off-by: Junio C Hamano <junkio@cox.net>maint
							parent
							
								
									8f41db8c37
								
							
						
					
					
						commit
						a2f3db2f5d
					
				|  | @ -212,19 +212,9 @@ if (defined $project) { | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|  | # We have to handle those containing any characters: | ||||||
| our $file_name = $cgi->param('f'); | our $file_name = $cgi->param('f'); | ||||||
| if (defined $file_name) { |  | ||||||
| 	if (!validate_input($file_name)) { |  | ||||||
| 		die_error(undef, "Invalid file parameter"); |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| our $file_parent = $cgi->param('fp'); | our $file_parent = $cgi->param('fp'); | ||||||
| if (defined $file_parent) { |  | ||||||
| 	if (!validate_input($file_parent)) { |  | ||||||
| 		die_error(undef, "Invalid file parent parameter"); |  | ||||||
| 	} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| our $hash = $cgi->param('h'); | our $hash = $cgi->param('h'); | ||||||
| if (defined $hash) { | if (defined $hash) { | ||||||
|  | @ -305,7 +295,7 @@ sub evaluate_path_info { | ||||||
| 			$action  ||= "blob_plain"; | 			$action  ||= "blob_plain"; | ||||||
| 		} | 		} | ||||||
| 		$hash_base ||= validate_input($refname); | 		$hash_base ||= validate_input($refname); | ||||||
| 		$file_name ||= validate_input($pathname); | 		$file_name ||= $pathname; | ||||||
| 	} elsif (defined $refname) { | 	} elsif (defined $refname) { | ||||||
| 		# we got "project.git/branch" | 		# we got "project.git/branch" | ||||||
| 		$action ||= "shortlog"; | 		$action ||= "shortlog"; | ||||||
|  | @ -416,7 +406,7 @@ sub validate_input { | ||||||
| # correct, but quoted slashes look too horrible in bookmarks | # correct, but quoted slashes look too horrible in bookmarks | ||||||
| sub esc_param { | sub esc_param { | ||||||
| 	my $str = shift; | 	my $str = shift; | ||||||
| 	$str =~ s/([^A-Za-z0-9\-_.~();\/;?:@&=])/sprintf("%%%02X", ord($1))/eg; | 	$str =~ s/([^A-Za-z0-9\-_.~()\/:@])/sprintf("%%%02X", ord($1))/eg; | ||||||
| 	$str =~ s/\+/%2B/g; | 	$str =~ s/\+/%2B/g; | ||||||
| 	$str =~ s/ /\+/g; | 	$str =~ s/ /\+/g; | ||||||
| 	return $str; | 	return $str; | ||||||
|  | @ -1282,7 +1272,7 @@ sub git_header_html { | ||||||
| 		if (defined $action) { | 		if (defined $action) { | ||||||
| 			$title .= "/$action"; | 			$title .= "/$action"; | ||||||
| 			if (defined $file_name) { | 			if (defined $file_name) { | ||||||
| 				$title .= " - $file_name"; | 				$title .= " - " . esc_html($file_name); | ||||||
| 				if ($action eq "tree" && $file_name !~ m|/$|) { | 				if ($action eq "tree" && $file_name !~ m|/$|) { | ||||||
| 					$title .= "/"; | 					$title .= "/"; | ||||||
| 				} | 				} | ||||||
|  | @ -2430,7 +2420,7 @@ sub git_blame2 { | ||||||
| 	if ($ftype !~ "blob") { | 	if ($ftype !~ "blob") { | ||||||
| 		die_error("400 Bad Request", "Object is not a blob"); | 		die_error("400 Bad Request", "Object is not a blob"); | ||||||
| 	} | 	} | ||||||
| 	open ($fd, "-|", git_cmd(), "blame", '-l', $file_name, $hash_base) | 	open ($fd, "-|", git_cmd(), "blame", '-l', '--', $file_name, $hash_base) | ||||||
| 		or die_error(undef, "Open git-blame failed"); | 		or die_error(undef, "Open git-blame failed"); | ||||||
| 	git_header_html(); | 	git_header_html(); | ||||||
| 	my $formats_nav = | 	my $formats_nav = | ||||||
|  | @ -3072,12 +3062,12 @@ sub git_blobdiff { | ||||||
| 		if (defined $file_name) { | 		if (defined $file_name) { | ||||||
| 			if (defined $file_parent) { | 			if (defined $file_parent) { | ||||||
| 				$diffinfo{'status'} = '2'; | 				$diffinfo{'status'} = '2'; | ||||||
| 				$diffinfo{'from_file'} = $file_parent; | 				$diffinfo{'from_file'} = esc_html($file_parent); | ||||||
| 				$diffinfo{'to_file'}   = $file_name; | 				$diffinfo{'to_file'}   = esc_html($file_name); | ||||||
| 			} else { # assume not renamed | 			} else { # assume not renamed | ||||||
| 				$diffinfo{'status'} = '1'; | 				$diffinfo{'status'} = '1'; | ||||||
| 				$diffinfo{'from_file'} = $file_name; | 				$diffinfo{'from_file'} = esc_html($file_name); | ||||||
| 				$diffinfo{'to_file'}   = $file_name; | 				$diffinfo{'to_file'}   = esc_html($file_name); | ||||||
| 			} | 			} | ||||||
| 		} else { # no filename given | 		} else { # no filename given | ||||||
| 			$diffinfo{'status'} = '2'; | 			$diffinfo{'status'} = '2'; | ||||||
|  | @ -3126,7 +3116,7 @@ sub git_blobdiff { | ||||||
| 			-type => 'text/plain', | 			-type => 'text/plain', | ||||||
| 			-charset => 'utf-8', | 			-charset => 'utf-8', | ||||||
| 			-expires => $expires, | 			-expires => $expires, | ||||||
| 			-content_disposition => qq(inline; filename="${file_name}.patch")); | 			-content_disposition => qq(inline; filename=") . quotemeta($file_name) . qq(.patch")); | ||||||
|  |  | ||||||
| 		print "X-Git-Url: " . $cgi->self_url() . "\n\n"; | 		print "X-Git-Url: " . $cgi->self_url() . "\n\n"; | ||||||
|  |  | ||||||
|  | @ -3576,7 +3566,7 @@ XML | ||||||
| 			if (!($line =~ m/^:([0-7]{6}) ([0-7]{6}) ([0-9a-fA-F]{40}) ([0-9a-fA-F]{40}) (.)([0-9]{0,3})\t(.*)$/)) { | 			if (!($line =~ m/^:([0-7]{6}) ([0-7]{6}) ([0-9a-fA-F]{40}) ([0-9a-fA-F]{40}) (.)([0-9]{0,3})\t(.*)$/)) { | ||||||
| 				next; | 				next; | ||||||
| 			} | 			} | ||||||
| 			my $file = validate_input(unquote($7)); | 			my $file = esc_html(unquote($7)); | ||||||
| 			$file = decode("utf8", $file, Encode::FB_DEFAULT); | 			$file = decode("utf8", $file, Encode::FB_DEFAULT); | ||||||
| 			print "$file<br/>\n"; | 			print "$file<br/>\n"; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	 Petr Baudis
						Petr Baudis