v257

diff --git a/gitweb.cgi b/gitweb.cgi
index cbddd3e8402aa4a1424b32b25fb16e30653d0d2d..da1746e3d3de908dbba7e9516ae413df0960a42e 100755 (executable)
--- a/gitweb.cgi
+++ b/gitweb.cgi
@@ -17,7 +17,7 @@ use Fcntl ':mode';
 binmode STDOUT, ':utf8';
 
 my $cgi = new CGI;
-my $version =          "255";
+my $version =          "257";
 my $my_url =           $cgi->url();
 my $my_uri =           $cgi->url(-absolute => 1);
 my $rss_link =         "";
@@ -146,7 +146,7 @@ sub validate_input {
        if ($input =~ m/(^|\/)(|\.|\.\.)($|\/)/) {
                return undef;
        }
-       if ($input =~ m/[^a-zA-Z0-9_\x80-\xff\ \.\/\-\+\#\~\%]/) {
+       if ($input =~ m/[^a-zA-Z0-9_\x80-\xff\ \t\.\/\-\+\#\~\%]/) {
                return undef;
        }
        return $input;
@@ -1294,7 +1294,7 @@ sub git_get_hash_by_path {
                        my $t_mode = $1;
                        my $t_type = $2;
                        my $t_hash = $3;
-                       my $t_name = $4;
+                       my $t_name = validate_input(unquote($4));
                        if ($t_name eq $part) {
                                if (!(@parts)) {
                                        return $t_hash;
@@ -1311,7 +1311,7 @@ sub git_get_hash_by_path {
 sub git_blob {
        if (!defined $hash && defined $file_name) {
                my $base = $hash_base || git_read_hash("$project/HEAD");
-               $hash = git_get_hash_by_path($base, $file_name, "blob");
+               $hash = git_get_hash_by_path($base, $file_name, "blob") || die_error(undef, "Error lookup file.");
        }
        open my $fd, "-|", "$gitbin/git-cat-file blob $hash" or die_error(undef, "Open failed.");
        git_header_html();