Fri Dec 30 21:08:43 UTC 2005 Alberto Bertogli <albertogli@telpin.com.ar>
* Escape filenames, just in case.
In the same spirit as the last patch, add escape() around prints of file
names. It's highly improbable, but it could happen for weird cases and it
seems worth the effort.
{
hunk ./darcsweb.cgi 738
- s = "-s " + fname
+ s = '-s "%s"' % fname
hunk ./darcsweb.cgi 903
- cmd += ' %s' % fname
+ cmd += ' "%s"' % fname
hunk ./darcsweb.cgi 965
- title += 'History for path %s' % fname
+ title += 'History for path %s' % escape(fname)
hunk ./darcsweb.cgi 1085
- print '<div class="page_path"><b>%s</b></div>' % fname
+ print '<div class="page_path"><b>%s</b></div>' % escape(fname)
hunk ./darcsweb.cgi 1372
- 'fname': fname,
+ 'fname': escape(fname),
hunk ./darcsweb.cgi 1397
- 'fname': fname,
+ 'fname': escape(fname),
hunk ./darcsweb.cgi 1420
- 'fname': fname,
+ 'fname': escape(fname),
hunk ./darcsweb.cgi 1446
- 'fname': fname,
+ 'fname': escape(fname),
hunk ./darcsweb.cgi 1484
- c = p.comment.replace('\n', '<br/>\n')
+ comment = escape(p.comment)
+ c = comment.replace('\n', '<br/>\n')
hunk ./darcsweb.cgi 1598
- (config.myreponame, sofar, p)
+ (config.myreponame, escape(sofar), p)
hunk ./darcsweb.cgi 1644
- 'f': f,
+ 'f': escape(f),
hunk ./darcsweb.cgi 1657
- 'f': f,
+ 'f': escape(f),
}