* Invalid search parameter in webinterface @ 2009-04-29 9:12 Olaf Hering 2009-04-29 11:44 ` [PATCH] gitweb: escape searchtext and parameters for replay Michael J Gruber 0 siblings, 1 reply; 9+ messages in thread From: Olaf Hering @ 2009-04-29 9:12 UTC (permalink / raw) To: git Hello. An 'author' search string like "torvalds@linux" at http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git generates a 'next' link due to the huge number of commits. This link has an incorrect escaping for the @ sign. The backslash does not work, it generates an error: 403 Forbidden - Invalid search parameter It should be s=torvalds%40linux instead of s=torvalds\@linux Olaf ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 9:12 Invalid search parameter in webinterface Olaf Hering @ 2009-04-29 11:44 ` Michael J Gruber 2009-04-29 12:28 ` Jakub Narebski 0 siblings, 1 reply; 9+ messages in thread From: Michael J Gruber @ 2009-04-29 11:44 UTC (permalink / raw) To: git; +Cc: Jakub Narebski, Olaf Hering Search texts may very likely include characters like '@' when grepping for author names. Currently, gitweb produces first/prev/next links with incorrectly escaped characters. Make gitweb escape searchtext and parameters which are reused in href() when replay is set. (cgi params are de-escaped when put into the parameter dictionary and need to be re-escaped when reused.) Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net> --- Maybe something like this? Highly untested! Cheers, Michael gitweb/gitweb.perl | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 3f99361..e1b09f8 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -848,7 +848,7 @@ sub href (%) { if ($params{-replay}) { while (my ($name, $symbol) = each %cgi_param_mapping) { if (!exists $params{$name}) { - $params{$name} = $input_params{$name}; + $params{$name} = esc_url($input_params{$name}); } } } @@ -5775,7 +5775,7 @@ sub git_search { if ($page > 0) { $paging_nav .= $cgi->a({-href => href(action=>"search", hash=>$hash, - searchtext=>$searchtext, + searchtext=>esc_url($searchtext), searchtype=>$searchtype)}, "first"); $paging_nav .= " ⋅ " . -- 1.6.3.rc3 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 11:44 ` [PATCH] gitweb: escape searchtext and parameters for replay Michael J Gruber @ 2009-04-29 12:28 ` Jakub Narebski 2009-04-29 12:52 ` Olaf Hering 0 siblings, 1 reply; 9+ messages in thread From: Jakub Narebski @ 2009-04-29 12:28 UTC (permalink / raw) To: Michael J Gruber; +Cc: git, Olaf Hering On Wed, 29 April 2009, Michael J Gruber wrote: > Search texts may very likely include characters like '@' when grepping > for author names. Currently, gitweb produces first/prev/next links with > incorrectly escaped characters. > > Make gitweb escape searchtext and parameters which are reused in href() > when replay is set. (cgi params are de-escaped when put into the > parameter dictionary and need to be re-escaped when reused.) > > Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net> > --- > Olaf Hering <olaf@aepfle.de> wrote: > >> An 'author' search string like "torvalds@linux" at >> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git >> generates a 'next' link due to the huge number of commits. >> >> This link has an incorrect escaping for the @ sign. >> The backslash does not work, it generates an error: >> >> 403 Forbidden - Invalid search parameter >> >> It should be s=torvalds%40linux instead of s=torvalds\@linux If you by hand edit URL changing '\@' to simply '@', does changed gitweb URL works correctly? > > Maybe something like this? Highly untested! No, the problem is not with lack of URI escaping in 's' parameter ('@' character is not forbidden for query string; it has special meaning and has to be escaped only in the hostname part), but with passing value _quoted for Perl_ (quotemeta) to href() subroutine. I'll try to come with the solution soon. > gitweb/gitweb.perl | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl > index 3f99361..e1b09f8 100755 > --- a/gitweb/gitweb.perl > +++ b/gitweb/gitweb.perl > @@ -848,7 +848,7 @@ sub href (%) { > if ($params{-replay}) { > while (my ($name, $symbol) = each %cgi_param_mapping) { > if (!exists $params{$name}) { > - $params{$name} = $input_params{$name}; > + $params{$name} = esc_url($input_params{$name}); > } > } > } > @@ -5775,7 +5775,7 @@ sub git_search { > if ($page > 0) { > $paging_nav .= > $cgi->a({-href => href(action=>"search", hash=>$hash, > - searchtext=>$searchtext, > + searchtext=>esc_url($searchtext), > searchtype=>$searchtype)}, > "first"); > $paging_nav .= " ⋅ " . This would result in double URI escaping, as at the end of href() subroutine we have: push @result, $symbol . "=" . esc_param($params{$name}); [...] $href .= "?" . join(';', @result) if scalar @result; return $href; Note that gitweb uses esc_param() and not esc_url() here; the rules are slightly different (you need to quote/escape ';', '?', '=' etc. for query parameter). -- Jakub Narebski Poland ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 12:28 ` Jakub Narebski @ 2009-04-29 12:52 ` Olaf Hering 2009-04-29 13:14 ` Jakub Narebski 0 siblings, 1 reply; 9+ messages in thread From: Olaf Hering @ 2009-04-29 12:52 UTC (permalink / raw) To: Jakub Narebski; +Cc: Michael J Gruber, git Am 29.04.2009 um 14:28 schrieb Jakub Narebski: > On Wed, 29 April 2009, Michael J Gruber wrote: >>> It should be s=torvalds%40linux instead of s=torvalds\@linux > > If you by hand edit URL changing '\@' to simply '@', does changed > gitweb URL works correctly? I tried akpm@osdl.org, and @ and . was escaped with a backslash. Removing both, and using the plain mail address worked. Olaf ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 12:52 ` Olaf Hering @ 2009-04-29 13:14 ` Jakub Narebski 2009-04-29 19:36 ` Jakub Narebski 0 siblings, 1 reply; 9+ messages in thread From: Jakub Narebski @ 2009-04-29 13:14 UTC (permalink / raw) To: Olaf Hering; +Cc: Michael J Gruber, git, John 'Warthog9' Hawley On Wed, 29 Apr 2009, Olaf Hering wrote: > Am 29.04.2009 um 14:28 schrieb Jakub Narebski: >> On Wed, 29 April 2009, Michael J Gruber wrote: > >>>> It should be s=torvalds%40linux instead of s=torvalds\@linux >> >> If you by hand edit URL changing '\@' to simply '@', does changed >> gitweb URL works correctly? > > I tried akpm@osdl.org, and @ and . was escaped with a backslash. > Removing both, and using the plain mail address worked. This problem was fixed in 7e431ef (gitweb: Separate search regexp from search text), but this fix is present in git 1.5.2 and later, and kernel.org gitweb is a fork (adding caching mechanism) of 1.4.5-rc0, according to info in git.kernel.org HTML source, and it does not have this fix. http://git.kernel.org/?p=git/warthog9/gitweb.git;a=summary I have CC-ed J.H. on this. -- Jakub Narebski Poland ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 13:14 ` Jakub Narebski @ 2009-04-29 19:36 ` Jakub Narebski 2009-04-29 20:07 ` Michael J Gruber 2009-04-29 23:11 ` J.H. 0 siblings, 2 replies; 9+ messages in thread From: Jakub Narebski @ 2009-04-29 19:36 UTC (permalink / raw) To: Olaf Hering; +Cc: Michael J Gruber, git, John 'Warthog9' Hawley On Wed, 29 Apr 2009, Jakub Narebski wrote: > On Wed, 29 Apr 2009, Olaf Hering wrote: >> Am 29.04.2009 um 14:28 schrieb Jakub Narebski: >>> On Wed, 29 April 2009, Michael J Gruber wrote: >>>>> >>>>> It should be s=torvalds%40linux instead of s=torvalds\@linux >>> >>> If you by hand edit URL changing '\@' to simply '@', does changed >>> gitweb URL works correctly? >> >> I tried akpm@osdl.org, and @ and . was escaped with a backslash. >> Removing both, and using the plain mail address worked. > > This problem was fixed in 7e431ef (gitweb: Separate search regexp from > search text), but this fix is present in git 1.5.2 and later, I have just checked that current gitweb (1.6.2.rc1.20.g8c5b) does not have this bug... > and kernel.org gitweb is a fork (adding caching mechanism) of > 1.4.5-rc0 (according to info in git.kernel.org HTML source), and > it does not have this fix. > > http://git.kernel.org/?p=git/warthog9/gitweb.git;a=summary > > I have CC-ed J.H. on this. ... so J.H., or Lea Wiemann, or whoever manages gitweb on kernel.org should backport this fix to kernel.org's fork of gitweb sources. -- Jakub Narebski Poland ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 19:36 ` Jakub Narebski @ 2009-04-29 20:07 ` Michael J Gruber 2009-04-29 23:11 ` J.H. 1 sibling, 0 replies; 9+ messages in thread From: Michael J Gruber @ 2009-04-29 20:07 UTC (permalink / raw) To: Jakub Narebski; +Cc: Olaf Hering, git, John 'Warthog9' Hawley Jakub Narebski venit, vidit, dixit 29.04.2009 21:36: > On Wed, 29 Apr 2009, Jakub Narebski wrote: >> On Wed, 29 Apr 2009, Olaf Hering wrote: >>> Am 29.04.2009 um 14:28 schrieb Jakub Narebski: >>>> On Wed, 29 April 2009, Michael J Gruber wrote: >>>>>> >>>>>> It should be s=torvalds%40linux instead of s=torvalds\@linux >>>> >>>> If you by hand edit URL changing '\@' to simply '@', does changed >>>> gitweb URL works correctly? >>> >>> I tried akpm@osdl.org, and @ and . was escaped with a backslash. >>> Removing both, and using the plain mail address worked. >> >> This problem was fixed in 7e431ef (gitweb: Separate search regexp from >> search text), but this fix is present in git 1.5.2 and later, > > I have just checked that current gitweb (1.6.2.rc1.20.g8c5b) > does not have this bug... Yes, I should have tested before suggesting a patch blindly. Sorry! > >> and kernel.org gitweb is a fork (adding caching mechanism) of >> 1.4.5-rc0 (according to info in git.kernel.org HTML source), and >> it does not have this fix. >> >> http://git.kernel.org/?p=git/warthog9/gitweb.git;a=summary >> >> I have CC-ed J.H. on this. > > ... so J.H., or Lea Wiemann, or whoever manages gitweb on kernel.org > should backport this fix to kernel.org's fork of gitweb sources. > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gitweb: escape searchtext and parameters for replay 2009-04-29 19:36 ` Jakub Narebski 2009-04-29 20:07 ` Michael J Gruber @ 2009-04-29 23:11 ` J.H. 2009-04-30 10:17 ` [PATCH (backport for warthog9/gitweb.git)] gitweb: Separate search regexp from search text Jakub Narebski 1 sibling, 1 reply; 9+ messages in thread From: J.H. @ 2009-04-29 23:11 UTC (permalink / raw) To: Jakub Narebski Cc: Olaf Hering, Michael J Gruber, git, John 'Warthog9' Hawley Jakub Narebski wrote: > On Wed, 29 Apr 2009, Jakub Narebski wrote: >> On Wed, 29 Apr 2009, Olaf Hering wrote: >>> Am 29.04.2009 um 14:28 schrieb Jakub Narebski: >>>> On Wed, 29 April 2009, Michael J Gruber wrote: >>>>>> It should be s=torvalds%40linux instead of s=torvalds\@linux >>>> If you by hand edit URL changing '\@' to simply '@', does changed >>>> gitweb URL works correctly? >>> I tried akpm@osdl.org, and @ and . was escaped with a backslash. >>> Removing both, and using the plain mail address worked. >> This problem was fixed in 7e431ef (gitweb: Separate search regexp from >> search text), but this fix is present in git 1.5.2 and later, > > I have just checked that current gitweb (1.6.2.rc1.20.g8c5b) > does not have this bug... > >> and kernel.org gitweb is a fork (adding caching mechanism) of >> 1.4.5-rc0 (according to info in git.kernel.org HTML source), and >> it does not have this fix. >> >> http://git.kernel.org/?p=git/warthog9/gitweb.git;a=summary >> >> I have CC-ed J.H. on this. > > ... so J.H., or Lea Wiemann, or whoever manages gitweb on kernel.org > should backport this fix to kernel.org's fork of gitweb sources. Patches, as always, are welcome - I've got a few queued up already, but if I have to do it I won't be getting back around to it for a bit (there are other things on my priority list right now). - John "Warthog9" Hawley ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH (backport for warthog9/gitweb.git)] gitweb: Separate search regexp from search text 2009-04-29 23:11 ` J.H. @ 2009-04-30 10:17 ` Jakub Narebski 0 siblings, 0 replies; 9+ messages in thread From: Jakub Narebski @ 2009-04-30 10:17 UTC (permalink / raw) To: J.H.; +Cc: Olaf Hering, Michael J Gruber, git Separate search text, which is saved in $searchtext global variable, and is used in links, as default value for the textfield in search form, and for pickaxe search, from search regexp, which is saved in $search_regexp global variable, and is used as parameter to --grep, --committer or --author options to git-rev-list, and for searching commit body in gitweb. For now $search_regexp is unconditionally equal to quotemeta($searchtext), meaning that we always search for fixed string. This fixes bug where 'next page' links for 'search' view didn't work for searchtext containing quotable characters, like `@'. (manually cherry picked from 7e431ef9ab933d7ff899a999e40627ab49774f3a) Olaf Hering noticed that this bug was still present, and this bugfix was not ported to kernel.org's fork of gitweb. Signed-off-by: Jakub Narebski <jnareb@gmail.com> --- On Thu, 30 Apr 2009, J.H. wrote: > Jakub Narebski wrote: > > I have just checked that current gitweb (1.6.2.rc1.20.g8c5b) > > does not have this bug... [...] > > ... so J.H., or Lea Wiemann, or whoever manages gitweb on kernel.org > > should backport this fix to kernel.org's fork of gitweb sources. > > Patches, as always, are welcome - I've got a few queued up already, but > if I have to do it I won't be getting back around to it for a bit (there > are other things on my priority list right now). Here you have backport of 7e431ef (gitweb: Separate search regexp from search text) on top of 'master' branch of kernel.org's fork of gitweb: git://git.kernel.org/pub/scm/git/warthog9/gitweb.git The only difference is that git_search_grep_body is in separate gitweb/gitweb/search.pm file in kernel.org's fork. The change is otherwise identical. Not tested! gitweb/gitweb.perl | 5 +++-- gitweb/gitweb/search.pm | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 984161c..aee9239 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -231,6 +231,7 @@ if (defined $page) { } our $searchtext = $cgi->param('s'); +our $search_regexp; if (defined $searchtext) { if ($searchtext =~ m/[^a-zA-Z0-9_\.\/\-\+\:\@ ]/) { die_error(undef, "Invalid search parameter"); @@ -238,7 +239,7 @@ if (defined $searchtext) { if (length($searchtext) < 2) { die_error(undef, "At least two characters are required for search parameter"); } - $searchtext = quotemeta $searchtext; + $search_regexp = quotemeta $searchtext; } our $searchtype = $cgi->param('st'); @@ -1702,7 +1703,7 @@ sub git_search { } elsif ($searchtype eq 'committer') { $greptype = "--committer="; } - $greptype .= $searchtext; + $greptype .= $search_regexp; my @commitlist = parse_commits($hash, 101, (100 * $page), $greptype); my $paging_nav = ''; diff --git a/gitweb/gitweb/search.pm b/gitweb/gitweb/search.pm index f1aea0a..a381f4e 100644 --- a/gitweb/gitweb/search.pm +++ b/gitweb/gitweb/search.pm @@ -33,7 +33,7 @@ sub git_search_grep_body { esc_html(chop_str($co{'title'}, 50)) . "<br/>"); my $comment = $co{'comment'}; foreach my $line (@$comment) { - if ($line =~ m/^(.*)($searchtext)(.*)$/i) { + if ($line =~ m/^(.*)($search_regexp)(.*)$/i) { my $lead = esc_html($1) || ""; $lead = chop_str($lead, 30, 10); my $match = esc_html($2) || ""; -- 1.6.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2009-04-30 10:17 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-04-29 9:12 Invalid search parameter in webinterface Olaf Hering 2009-04-29 11:44 ` [PATCH] gitweb: escape searchtext and parameters for replay Michael J Gruber 2009-04-29 12:28 ` Jakub Narebski 2009-04-29 12:52 ` Olaf Hering 2009-04-29 13:14 ` Jakub Narebski 2009-04-29 19:36 ` Jakub Narebski 2009-04-29 20:07 ` Michael J Gruber 2009-04-29 23:11 ` J.H. 2009-04-30 10:17 ` [PATCH (backport for warthog9/gitweb.git)] gitweb: Separate search regexp from search text Jakub Narebski
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).