Fossil SCM
only allow a certain whitelist of characters for linked tags and hashes to guard against injection
Commit
70b2569ec0a0ee89cc4f67d43c99c07a4182b2b40c16c5ef6cbba02d02f1abaa
Parent
27f6238ce7b7536…
1 file changed
+12
-6
+12
-6
| --- src/tktsetup.c | ||
| +++ src/tktsetup.c | ||
| @@ -521,17 +521,23 @@ | ||
| 521 | 521 | @ <tr><td class="tktDspLabel">Version Found In:</td> |
| 522 | 522 | @ <td colspan="3" valign="top" class="tktDspValue"> |
| 523 | 523 | @ <th1> |
| 524 | 524 | @ set versionlink "" |
| 525 | 525 | @ set urlfoundin [httpize $foundin] |
| 526 | -@ query {SELECT count(*) AS match FROM tag | |
| 527 | -@ WHERE tagname=concat('sym-',$foundin)} { | |
| 528 | -@ if {$match} {set versionlink "/timeline?t=$urlfoundin"} | |
| 526 | +@ set tagpattern ^\[0-9A-Za-z_\\.\]+\$ | |
| 527 | +@ if [regexp $tagpattern $foundin] { | |
| 528 | +@ query {SELECT count(*) AS match FROM tag | |
| 529 | +@ WHERE tagname=concat('sym-',$foundin)} { | |
| 530 | +@ if {$match} {set versionlink "/timeline?t=$urlfoundin"} | |
| 531 | +@ } | |
| 529 | 532 | @ } |
| 530 | -@ set pattern $foundin% | |
| 531 | -@ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { | |
| 532 | -@ if {$match} {set versionlink "/info/$urlfoundin"} | |
| 533 | +@ set hashpattern ^\[0-9a-f\]+\$ | |
| 534 | +@ if [regexp $hashpattern $foundin] { | |
| 535 | +@ set pattern $foundin* | |
| 536 | +@ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { | |
| 537 | +@ if {$match} {set versionlink "/info/$urlfoundin"} | |
| 538 | +@ } | |
| 533 | 539 | @ } |
| 534 | 540 | @ if {$versionlink eq ""} { |
| 535 | 541 | @ puts $foundin |
| 536 | 542 | @ } else { |
| 537 | 543 | @ html "<a href=\"$versionlink\">" |
| 538 | 544 |
| --- src/tktsetup.c | |
| +++ src/tktsetup.c | |
| @@ -521,17 +521,23 @@ | |
| 521 | @ <tr><td class="tktDspLabel">Version Found In:</td> |
| 522 | @ <td colspan="3" valign="top" class="tktDspValue"> |
| 523 | @ <th1> |
| 524 | @ set versionlink "" |
| 525 | @ set urlfoundin [httpize $foundin] |
| 526 | @ query {SELECT count(*) AS match FROM tag |
| 527 | @ WHERE tagname=concat('sym-',$foundin)} { |
| 528 | @ if {$match} {set versionlink "/timeline?t=$urlfoundin"} |
| 529 | @ } |
| 530 | @ set pattern $foundin% |
| 531 | @ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { |
| 532 | @ if {$match} {set versionlink "/info/$urlfoundin"} |
| 533 | @ } |
| 534 | @ if {$versionlink eq ""} { |
| 535 | @ puts $foundin |
| 536 | @ } else { |
| 537 | @ html "<a href=\"$versionlink\">" |
| 538 |
| --- src/tktsetup.c | |
| +++ src/tktsetup.c | |
| @@ -521,17 +521,23 @@ | |
| 521 | @ <tr><td class="tktDspLabel">Version Found In:</td> |
| 522 | @ <td colspan="3" valign="top" class="tktDspValue"> |
| 523 | @ <th1> |
| 524 | @ set versionlink "" |
| 525 | @ set urlfoundin [httpize $foundin] |
| 526 | @ set tagpattern ^\[0-9A-Za-z_\\.\]+\$ |
| 527 | @ if [regexp $tagpattern $foundin] { |
| 528 | @ query {SELECT count(*) AS match FROM tag |
| 529 | @ WHERE tagname=concat('sym-',$foundin)} { |
| 530 | @ if {$match} {set versionlink "/timeline?t=$urlfoundin"} |
| 531 | @ } |
| 532 | @ } |
| 533 | @ set hashpattern ^\[0-9a-f\]+\$ |
| 534 | @ if [regexp $hashpattern $foundin] { |
| 535 | @ set pattern $foundin* |
| 536 | @ query {SELECT count(*) AS match FROM blob WHERE uuid GLOB $pattern} { |
| 537 | @ if {$match} {set versionlink "/info/$urlfoundin"} |
| 538 | @ } |
| 539 | @ } |
| 540 | @ if {$versionlink eq ""} { |
| 541 | @ puts $foundin |
| 542 | @ } else { |
| 543 | @ html "<a href=\"$versionlink\">" |
| 544 |