Thu Feb 23 18:34:51 UTC 2006 Alberto Bertogli <albertogli@telpin.com.ar>
* Filter '"' in filenames.
For security, don't allow '"' in filenames.
If there is high demand, some alternative workaround could be implemented.
diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi
--- old-darcsweb/darcsweb.cgi 2016-01-01 09:00:49.000000000 +0000
+++ new-darcsweb/darcsweb.cgi 2016-01-01 09:00:49.000000000 +0000
@@ -66,7 +66,7 @@
def filter_file(s):
- if '..' in s:
+ if '..' in s or '"' in s:
raise 'FilterFile FAILED'
if s == '/':
return s