Fossil SCM
Fix the "add" command is that it does not allow users to accidently add files that contain shell wildcard characters.
Commit
da9d38e2c38f5271e1abbdee4a771a09be3a1812
Parent
d29dd11f2eb1793…
1 file changed
+3
+3
| --- src/add.c | ||
| +++ src/add.c | ||
| @@ -64,10 +64,13 @@ | ||
| 64 | 64 | file_tree_name(zName, &pathname); |
| 65 | 65 | zPath = blob_str(&pathname); |
| 66 | 66 | if( strcmp(zPath, "manifest")==0 || strcmp(zPath, "_FOSSIL_")==0 ){ |
| 67 | 67 | fossil_fatal("cannot add %s", zPath); |
| 68 | 68 | } |
| 69 | + if( !file_is_simple_pathname(zPath) ){ | |
| 70 | + fossil_fatal("filename contains illegal characters: %s", zPath); | |
| 71 | + } | |
| 69 | 72 | if( db_exists("SELECT 1 FROM vfile WHERE pathname=%Q", zPath) ){ |
| 70 | 73 | db_multi_exec("UPDATE vfile SET deleted=0 WHERE pathname=%Q", zPath); |
| 71 | 74 | }else{ |
| 72 | 75 | db_multi_exec( |
| 73 | 76 | "INSERT INTO vfile(vid,deleted,rid,mrid,pathname)" |
| 74 | 77 |
| --- src/add.c | |
| +++ src/add.c | |
| @@ -64,10 +64,13 @@ | |
| 64 | file_tree_name(zName, &pathname); |
| 65 | zPath = blob_str(&pathname); |
| 66 | if( strcmp(zPath, "manifest")==0 || strcmp(zPath, "_FOSSIL_")==0 ){ |
| 67 | fossil_fatal("cannot add %s", zPath); |
| 68 | } |
| 69 | if( db_exists("SELECT 1 FROM vfile WHERE pathname=%Q", zPath) ){ |
| 70 | db_multi_exec("UPDATE vfile SET deleted=0 WHERE pathname=%Q", zPath); |
| 71 | }else{ |
| 72 | db_multi_exec( |
| 73 | "INSERT INTO vfile(vid,deleted,rid,mrid,pathname)" |
| 74 |
| --- src/add.c | |
| +++ src/add.c | |
| @@ -64,10 +64,13 @@ | |
| 64 | file_tree_name(zName, &pathname); |
| 65 | zPath = blob_str(&pathname); |
| 66 | if( strcmp(zPath, "manifest")==0 || strcmp(zPath, "_FOSSIL_")==0 ){ |
| 67 | fossil_fatal("cannot add %s", zPath); |
| 68 | } |
| 69 | if( !file_is_simple_pathname(zPath) ){ |
| 70 | fossil_fatal("filename contains illegal characters: %s", zPath); |
| 71 | } |
| 72 | if( db_exists("SELECT 1 FROM vfile WHERE pathname=%Q", zPath) ){ |
| 73 | db_multi_exec("UPDATE vfile SET deleted=0 WHERE pathname=%Q", zPath); |
| 74 | }else{ |
| 75 | db_multi_exec( |
| 76 | "INSERT INTO vfile(vid,deleted,rid,mrid,pathname)" |
| 77 |