From: Jakub Narebski <jnareb@gmail.com>
To: git@vger.kernel.org
Subject: [PATCH 4/n] gitweb: Secure against commit-ish/tree-ish with the same name as path
Date: Mon, 30 Oct 2006 22:29:06 +0100 [thread overview]
Message-ID: <200610302229.06957.jnareb@gmail.com> (raw)
In-Reply-To: <200610301953.01875.jnareb@gmail.com>
Add "--" after <commit-ish> or <tree-ish> argument to clearly mark it
as <commit-ish> or <tree-ish> and not pathspec, securing against refs
with the same names as files or directories in [live] repository.
Some wrapping to reduce line length as well.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
---
I uses branch named 'gitweb/test' to test gitweb against files with
funny characters (like '"', '\', TAB, LF) in filenames. I run gitweb
on "live" (not bare) repository, and there is directory 'gitweb/test'
in it. So I had some parts of gitweb not functioning, and errors in
the web server logs. This patch fixes that issue.
gitweb/gitweb.perl | 38 +++++++++++++++++++++++---------------
1 files changed, 23 insertions(+), 15 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 0fd1360..4554067 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1141,7 +1141,9 @@ sub parse_commit {
@commit_lines = @$commit_text;
} else {
local $/ = "\0";
- open my $fd, "-|", git_cmd(), "rev-list", "--header", "--parents", "--max-count=1", $commit_id
+ open my $fd, "-|", git_cmd(), "rev-list",
+ "--header", "--parents", "--max-count=1",
+ $commit_id, "--"
or return;
@commit_lines = split '\n', <$fd>;
close $fd or return;
@@ -2559,7 +2561,7 @@ sub git_summary {
}
open my $fd, "-|", git_cmd(), "rev-list", "--max-count=17",
- git_get_head_hash($project)
+ git_get_head_hash($project), "--"
or die_error(undef, "Open git-rev-list failed");
my @revlist = map { chomp; $_ } <$fd>;
close $fd;
@@ -2970,7 +2972,7 @@ sub git_tree {
}
}
$/ = "\0";
- open my $fd, "-|", git_cmd(), "ls-tree", '-z', $hash
+ open my $fd, "-|", git_cmd(), "ls-tree", '-z', $hash, "--"
or die_error(undef, "Open git-ls-tree failed");
my @entries = map { chomp; $_ } <$fd>;
close $fd or die_error(undef, "Reading tree failed");
@@ -3102,7 +3104,7 @@ sub git_log {
my $refs = git_get_references();
my $limit = sprintf("--max-count=%i", (100 * ($page+1)));
- open my $fd, "-|", git_cmd(), "rev-list", $limit, $hash
+ open my $fd, "-|", git_cmd(), "rev-list", $limit, $hash, "--"
or die_error(undef, "Open git-rev-list failed");
my @revlist = map { chomp; $_ } <$fd>;
close $fd;
@@ -3160,7 +3162,7 @@ sub git_commit {
$parent = "--root";
}
open my $fd, "-|", git_cmd(), "diff-tree", '-r', "--no-commit-id",
- @diff_opts, $parent, $hash
+ @diff_opts, $parent, $hash, "--"
or die_error(undef, "Open git-diff-tree failed");
my @difftree = map { chomp; $_ } <$fd>;
close $fd or die_error(undef, "Reading git-diff-tree failed");
@@ -3265,7 +3267,8 @@ sub git_blobdiff {
if (defined $hash_base && defined $hash_parent_base) {
if (defined $file_name) {
# read raw output
- open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts, $hash_parent_base, $hash_base,
+ open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts,
+ $hash_parent_base, $hash_base,
"--", $file_name
or die_error(undef, "Open git-diff-tree failed");
@difftree = map { chomp; $_ } <$fd>;
@@ -3279,7 +3282,8 @@ sub git_blobdiff {
# try to find filename from $hash
# read filtered raw output
- open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts, $hash_parent_base, $hash_base
+ open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts,
+ $hash_parent_base, $hash_base, "--"
or die_error(undef, "Open git-diff-tree failed");
@difftree =
# ':100644 100644 03b21826... 3b93d5e7... M ls-files.c'
@@ -3349,7 +3353,8 @@ sub git_blobdiff {
}
# open patch output
- open $fd, "-|", git_cmd(), "diff", '-p', @diff_opts, $hash_parent, $hash
+ open $fd, "-|", git_cmd(), "diff", '-p', @diff_opts,
+ $hash_parent, $hash, "--"
or die_error(undef, "Open git-diff failed");
} else {
die_error('404 Not Found', "Missing one of the blob diff parameters")
@@ -3480,8 +3485,8 @@ sub git_commitdiff {
my @difftree;
if ($format eq 'html') {
open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts,
- "--no-commit-id",
- "--patch-with-raw", "--full-index", $hash_parent, $hash
+ "--no-commit-id", "--patch-with-raw", "--full-index",
+ $hash_parent, $hash, "--"
or die_error(undef, "Open git-diff-tree failed");
while (chomp(my $line = <$fd>)) {
@@ -3492,7 +3497,7 @@ sub git_commitdiff {
} elsif ($format eq 'plain') {
open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts,
- '-p', $hash_parent, $hash
+ '-p', $hash_parent, $hash, "--"
or die_error(undef, "Open git-diff-tree failed");
} else {
@@ -3669,7 +3674,9 @@ sub git_search {
my $alternate = 1;
if ($searchtype eq 'commit' or $searchtype eq 'author' or $searchtype eq 'committer') {
$/ = "\0";
- open my $fd, "-|", git_cmd(), "rev-list", "--header", "--parents", $hash or next;
+ open my $fd, "-|", git_cmd(), "rev-list",
+ "--header", "--parents", $hash, "--"
+ or next;
while (my $commit_text = <$fd>) {
if (!grep m/$searchtext/i, $commit_text) {
next;
@@ -3815,7 +3822,7 @@ sub git_shortlog {
my $refs = git_get_references();
my $limit = sprintf("--max-count=%i", (100 * ($page+1)));
- open my $fd, "-|", git_cmd(), "rev-list", $limit, $hash
+ open my $fd, "-|", git_cmd(), "rev-list", $limit, $hash, "--"
or die_error(undef, "Open git-rev-list failed");
my @revlist = map { chomp; $_ } <$fd>;
close $fd;
@@ -3843,7 +3850,8 @@ sub git_shortlog {
sub git_rss {
# http://www.notestips.com/80256B3A007F2692/1/NAMO5P9UPQ
- open my $fd, "-|", git_cmd(), "rev-list", "--max-count=150", git_get_head_hash($project)
+ open my $fd, "-|", git_cmd(), "rev-list", "--max-count=150",
+ git_get_head_hash($project), "--"
or die_error(undef, "Open git-rev-list failed");
my @revlist = map { chomp; $_ } <$fd>;
close $fd or die_error(undef, "Reading git-rev-list failed");
@@ -3867,7 +3875,7 @@ XML
}
my %cd = parse_date($co{'committer_epoch'});
open $fd, "-|", git_cmd(), "diff-tree", '-r', @diff_opts,
- $co{'parent'}, $co{'id'}
+ $co{'parent'}, $co{'id'}, "--"
or next;
my @difftree = map { chomp; $_ } <$fd>;
close $fd
--
1.4.3.3
next prev parent reply other threads:[~2006-10-30 21:29 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-30 18:53 [PATCH 0/n] gitweb: Better quoting and New improved patchset view Jakub Narebski
2006-10-30 18:58 ` [PATCH/RFC 1/n] gitweb: Better git-unquoting and gitweb-quoting of pathnames Jakub Narebski
2006-11-03 8:15 ` Junio C Hamano
2006-11-03 10:59 ` Jakub Narebski
2006-11-03 11:58 ` Junio C Hamano
2006-11-03 12:09 ` Jakub Narebski
2006-10-30 18:59 ` [PATCH 2/n] gitweb: Use '&iquot;' instead of '?' in esc_path Jakub Narebski
2006-10-31 0:34 ` Junio C Hamano
2006-10-31 1:27 ` Junio C Hamano
2006-10-31 9:23 ` Jakub Narebski
2006-11-03 16:19 ` Jakub Narebski
2006-11-03 21:44 ` Junio C Hamano
2006-11-03 22:33 ` Jakub Narebski
2006-11-03 22:44 ` Junio C Hamano
2006-11-03 22:50 ` Petr Baudis
2006-11-03 23:35 ` Jakub Narebski
2006-11-04 0:02 ` Junio C Hamano
2006-11-04 10:31 ` Petr Baudis
2006-11-06 21:58 ` Jakub Narebski
2006-11-06 22:47 ` Junio C Hamano
2006-11-06 23:16 ` Jakub Narebski
[not found] ` <7vwt68b0f3.fsf@assigned-by-dhcp.cox.net>
2006-11-07 0:02 ` Jakub Narebski
2006-11-07 21:53 ` Jakub Narebski
2006-11-07 22:18 ` Junio C Hamano
2006-10-30 21:25 ` [PATCH 3/n] gitweb: Use 's' regexp modifier to secure against filenames with LF Jakub Narebski
2006-10-30 21:29 ` Jakub Narebski [this message]
2006-10-31 16:53 ` [PATCH 4/n] gitweb: Secure against commit-ish/tree-ish with the same name as path Jakub Narebski
2006-11-01 0:24 ` Junio C Hamano
2006-11-01 0:40 ` Jakub Narebski
2006-11-02 1:01 ` Junio C Hamano
2006-11-02 8:49 ` Jakub Narebski
2006-11-03 6:18 ` Junio C Hamano
2006-11-03 9:35 ` Junio C Hamano
2006-11-03 10:49 ` Jakub Narebski
2006-10-31 14:22 ` [PATCH 5/n] [take 3] gitweb: New improved patchset view Jakub Narebski
2006-11-03 10:26 ` [PATCH 5/10] " Jakub Narebski
2006-10-31 16:07 ` [PATCH 6/n] gitweb: Remove redundant "blob" links from git_difftree_body Jakub Narebski
2006-11-03 6:41 ` Junio C Hamano
2006-11-03 11:01 ` Jakub Narebski
2006-10-31 16:36 ` [PATCH 7/n] gitweb: Output also empty patches in "commitdiff" view Jakub Narebski
2006-11-03 11:56 ` Jakub Narebski
2006-10-31 16:43 ` [PATCH 8/n] gitweb: Fix two issues with quoted filenames in git_patchset_body Jakub Narebski
2006-11-01 13:33 ` [PATCH 9/n] gitweb: Better support for non-CSS aware web browsers Jakub Narebski
2006-11-01 13:38 ` Petr Baudis
2006-11-01 13:36 ` [PATCH 10/n] gitweb: New improved formatting of chunk header in diff Jakub Narebski
2006-11-01 18:52 ` [PATCH 00/10] gitweb: Better quoting and New improved patchset view Jakub Narebski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200610302229.06957.jnareb@gmail.com \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).