Fri Dec 30 21:08:43 UTC 2005 Alberto Bertogli <albertogli@telpin.com.ar>
* Escape filenames, just in case.
In the same spirit as the last patch, add escape() around prints of file
names. It's highly improbable, but it could happen for weird cases and it
seems worth the effort.
diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi
--- old-darcsweb/darcsweb.cgi 2015-12-09 15:01:16.000000000 +0000
+++ new-darcsweb/darcsweb.cgi 2015-12-09 15:01:16.000000000 +0000
@@ -735,7 +735,7 @@
if fname:
if fname[0] == '/': fname = fname[1:]
- s = "-s " + fname
+ s = '-s "%s"' % fname
else:
s = "-s --last=%d" % toget
@@ -900,7 +900,7 @@
cmd = 'annotate --xml-output'
if hash:
cmd += ' --match="hash %s"' % hash
- cmd += ' %s' % fname
+ cmd += ' "%s"' % fname
out = run_darcs(cmd)
return parse_annotate(out)
@@ -962,7 +962,7 @@
if fname:
title = '<a class="title" href="%s;a=filehistory;f=%s">' % \
(config.myreponame, fname)
- title += 'History for path %s' % fname
+ title += 'History for path %s' % escape(fname)
title += '</a>'
else:
title = '<a class="title" href="%s;a=shortlog">shortlog</a>' \
@@ -1082,7 +1082,7 @@
def print_blob(fname):
- print '<div class="page_path"><b>%s</b></div>' % fname
+ print '<div class="page_path"><b>%s</b></div>' % escape(fname)
print '<div class="page_body">'
if isbinary(fname):
print """
@@ -1369,7 +1369,7 @@
'myreponame': config.myreponame,
'hash': p.hash,
'name': escape(p.name),
- 'fname': fname,
+ 'fname': escape(fname),
}
print_diff(dsrc)
@@ -1394,7 +1394,7 @@
'myreponame': config.myreponame,
'hash': p.hash,
'name': escape(p.name),
- 'fname': fname,
+ 'fname': escape(fname),
}
dsrc = get_darcs_diff(phash, fname)
@@ -1417,7 +1417,7 @@
'myreponame': config.myreponame,
'hash': p.hash,
'name': escape(p.name),
- 'fname': fname,
+ 'fname': escape(fname),
}
print_diff(dsrc)
@@ -1443,7 +1443,7 @@
'myreponame': config.myreponame,
'hash': p.hash,
'name': escape(p.name),
- 'fname': fname,
+ 'fname': escape(fname),
}
dsrc = get_darcs_headdiff(phash, fname)
@@ -1481,7 +1481,8 @@
'name': escape(p.name),
}
if p.comment:
- c = p.comment.replace('\n', '<br/>\n')
+ comment = escape(p.comment)
+ c = comment.replace('\n', '<br/>\n')
print '<div class="page_body">'
print escape(p.name), '<br/><br/>'
print c
@@ -1594,7 +1595,7 @@
if not p: continue
sofar += '/' + p
print '<a href="%s;a=tree;f=%s">%s</a> /' % \
- (config.myreponame, sofar, p)
+ (config.myreponame, escape(sofar), p)
print """
</b></div>
@@ -1640,7 +1641,7 @@
</td>
""" % {
'myrname': config.myreponame,
- 'f': f,
+ 'f': escape(f),
'newf': filter_file(dname + '/' + f),
}
else:
@@ -1653,7 +1654,7 @@
</td>
""" % {
'myrname': config.myreponame,
- 'f': f,
+ 'f': escape(f),
'fullf': filter_file(dname + '/' + f),
}
print '</tr>'