}
}
+# We have to handle those containing any characters:
our $file_name = $cgi->param('f');
-if (defined $file_name) {
- if (!validate_input($file_name)) {
- die_error(undef, "Invalid file parameter");
- }
-}
-
our $file_parent = $cgi->param('fp');
-if (defined $file_parent) {
- if (!validate_input($file_parent)) {
- die_error(undef, "Invalid file parent parameter");
- }
-}
our $hash = $cgi->param('h');
if (defined $hash) {
$action ||= "blob_plain";
}
$hash_base ||= validate_input($refname);
- $file_name ||= validate_input($pathname);
+ $file_name ||= $pathname;
} elsif (defined $refname) {
# we got "project.git/branch"
$action ||= "shortlog";
# correct, but quoted slashes look too horrible in bookmarks
sub esc_param {
my $str = shift;
- $str =~ s/([^A-Za-z0-9\-_.~();\/;?:@&=])/sprintf("%%%02X", ord($1))/eg;
+ $str =~ s/([^A-Za-z0-9\-_.~()\/:@])/sprintf("%%%02X", ord($1))/eg;
$str =~ s/\+/%2B/g;
$str =~ s/ /\+/g;
return $str;
if (length($short) < length($long)) {
return $cgi->a({-href => $href, -class => "list subject",
- -title => $long},
+ -title => decode("utf8", $long, Encode::FB_DEFAULT)},
esc_html($short) . $extra);
} else {
return $cgi->a({-href => $href, -class => "list subject"},
sub git_get_project_url_list {
my $path = shift;
- open my $fd, "$projectroot/$path/cloneurl" or return undef;
+ open my $fd, "$projectroot/$path/cloneurl" or return;
my @git_project_url_list = map { chomp; $_ } <$fd>;
close $fd;
if (defined $action) {
$title .= "/$action";
if (defined $file_name) {
- $title .= " - $file_name";
+ $title .= " - " . esc_html($file_name);
if ($action eq "tree" && $file_name !~ m|/$|) {
$title .= "/";
}
if ($ftype !~ "blob") {
die_error("400 Bad Request", "Object is not a blob");
}
- open ($fd, "-|", git_cmd(), "blame", '-l', $file_name, $hash_base)
+ open ($fd, "-|", git_cmd(), "blame", '-l', '--', $file_name, $hash_base)
or die_error(undef, "Open git-blame failed");
git_header_html();
my $formats_nav =
if ($have_snapshot) {
# FIXME: Should be available when we have no hash base as well.
push @views_nav,
- $cgi->a({-href => href(action=>"snapshot")},
+ $cgi->a({-href => href(action=>"snapshot", hash=>$hash)},
"snapshot");
}
git_print_page_nav('tree','', $hash_base, undef, undef, join(' | ', @views_nav));
" | " .
$cgi->a({-href => href(action=>"commitdiff", hash=>$commit)}, "commitdiff") .
" | " .
- $cgi->a({-href => href(action=>"tree", hash=>$commit), hash_base=>$commit}, "tree") .
+ $cgi->a({-href => href(action=>"tree", hash=>$commit, hash_base=>$commit)}, "tree") .
"<br/>\n" .
"</div>\n" .
"<i>" . esc_html($co{'author_name'}) . " [$ad{'rfc2822'}]</i><br/>\n" .
-type => 'text/plain',
-charset => 'utf-8',
-expires => $expires,
- -content_disposition => qq(inline; filename="${file_name}.patch"));
+ -content_disposition => qq(inline; filename=") . quotemeta($file_name) . qq(.patch"));
print "X-Git-Url: " . $cgi->self_url() . "\n\n";
} else {
while (my $line = <$fd>) {
- $line =~ s!a/($hash|$hash_parent)!a/$diffinfo{'from_file'}!g;
- $line =~ s!b/($hash|$hash_parent)!b/$diffinfo{'to_file'}!g;
+ $line =~ s!a/($hash|$hash_parent)!'a/'.esc_html($diffinfo{'from_file'})!eg;
+ $line =~ s!b/($hash|$hash_parent)!'b/'.esc_html($diffinfo{'to_file'})!eg;
print $line;
if (!($line =~ m/^:([0-7]{6}) ([0-7]{6}) ([0-9a-fA-F]{40}) ([0-9a-fA-F]{40}) (.)([0-9]{0,3})\t(.*)$/)) {
next;
}
- my $file = validate_input(unquote($7));
+ my $file = esc_html(unquote($7));
$file = decode("utf8", $file, Encode::FB_DEFAULT);
print "$file<br/>\n";
}