gitweb fails with pathinfo and project with ++ in the name

gitweb fails with pathinfo and project with ++ in the name

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

Hi all,

please have a look at http://git.madduck.net/v/code/libfactory++.git
or http://git.madduck.net/v/code/libfactory%2b%2b.git.

I narrowed this down to the first line of CGI.pm's path_info sub:

  my ($self,$info) = self_or_default(@_);

but then my perl-foo wouldn't take me further.

gitweb works fine if I turn off pathinfo, but when it's turned on,
it cannot deal with two ++ in the name of projects.

The bug seems to be in CGI.pm, and I now wonder what to do about it.

Please keep the bug address <476076@bugs.debian.org> in Cc.

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
"the association on this web site and in peter chappell
 publications, articles and books, made between remedy and diseases
 is used for clarity, but is not the functional reality and does not
 imply these resonances treat any disease. they merely vitalise and
 inform the self healing system."
                                                   -- peter chappell
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Bug#476076: gitweb fails with pathinfo and project with ++ in the name

[Frank Lichtenheld]

On Sun, Apr 20, 2008 at 04:46:54PM +0200, martin f krafft wrote:
> The bug seems to be in CGI.pm, and I now wonder what to do about it.

CGI->path_info in etch's version is broken, you need either use a newer
CGI.pm or $ENV{PATH_INFO} directly.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Re: Bug#476076: gitweb fails with pathinfo and project with ++ in the name

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 674 bytes --]

reassign 476076 perl-modules
forcemerge 411735 476076
thanks

also sprach Frank Lichtenheld <djpig@debian.org> [2008.04.20.1753 +0200]:
> CGI->path_info in etch's version is broken, you need either use a newer
> CGI.pm or $ENV{PATH_INFO} directly.

Fwiw: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=411735

Fixing it exposed a similar bug in gitweb.perl; the patch will
follow in a few minutes.

-- 
 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[PATCH] Escape project name in regexp

[martin f. krafft]

The project name, when used in a regular expression, needs to be quoted
properly, so that stuff like '++' in the project name does not cause
Perl to barf.

Related info: http://bugs.debian.org/476076
This is a bug in Perl's CGI.pm, but fixing that exposed a similar bug in
gitweb.perl

Signed-off-by: martin f. krafft <madduck@madduck.net>
---
 gitweb/gitweb.perl |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index a48bebb..9865f9a 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -511,7 +511,7 @@ sub evaluate_path_info {
 	}
 	# do not change any parameters if an action is given using the query string
 	return if $action;
-	$path_info =~ s,^$project/*,,;
+	$path_info =~ s,^\Q$project\E/*,,;
 	my ($refname, $pathname) = split(/:/, $path_info, 2);
 	if (defined $pathname) {
 		# we got "project.git/branch:filename" or "project.git/branch:dir/"
-- 
1.5.5.rc2

[PATCH] Escape project names before creating pathinfo URLs

[martin f. krafft]

If a project name contains special URL characters like +, gitweb's links
break in subtle ways. The solution is to pass the project name through
esc_url() and using the return value.

Signed-off-by: martin f. krafft <madduck@madduck.net>
---
 gitweb/gitweb.perl |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index a48bebb..241ae17 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -633,7 +633,7 @@ sub href(%) {
 	my ($use_pathinfo) = gitweb_check_feature('pathinfo');
 	if ($use_pathinfo) {
 		# use PATH_INFO for project name
-		$href .= "/$params{'project'}" if defined $params{'project'};
+		$href .= "/".esc_url($params{'project'}) if defined $params{'project'};
 		delete $params{'project'};
 
 		# Summary just uses the project path URL
@@ -2575,7 +2575,7 @@ EOF
 		my $action = $my_uri;
 		my ($use_pathinfo) = gitweb_check_feature('pathinfo');
 		if ($use_pathinfo) {
-			$action .= "/$project";
+			$action .= "/".esc_url($project);
 		} else {
 			$cgi->param("p", $project);
 		}
-- 
1.5.5.rc2

Re: [PATCH] Escape project names before creating pathinfo URLs

[Junio C Hamano]

Both patches make sense; will apply to 'maint'.