mirror of
https://github.com/klaussilveira/gitlist.git
synced 2025-11-17 11:10:57 +01:00
Added proper input escaping
This commit is contained in:
Klaus Silveira
@@ -69,6 +69,10 @@ class Application extends SilexApplication
|
||||
return $twig;
|
||||
}));
|
||||
|
||||
$this['escaper.argument'] = $this->share(function() {
|
||||
return new Escaper\ArgumentEscaper();
|
||||
});
|
||||
|
||||
// Handle errors
|
||||
$this->error(function (\Exception $e, $code) use ($app) {
|
||||
if ($app['debug']) {
|
||||
|
||||
@@ -43,6 +43,7 @@ class BlobController implements ControllerProviderInterface
|
||||
));
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', '.+')
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->bind('blob');
|
||||
|
||||
$route->get('{repo}/raw/{commitishPath}', function ($repo, $commitishPath) use ($app) {
|
||||
@@ -66,6 +67,7 @@ class BlobController implements ControllerProviderInterface
|
||||
return new Response($blob, 200, $headers);
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->bind('blob_raw');
|
||||
|
||||
return $route;
|
||||
|
||||
@@ -61,6 +61,7 @@ class CommitController implements ControllerProviderInterface
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
|
||||
->value('commitishPath', null)
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->bind('commits');
|
||||
|
||||
$route->post('{repo}/commits/{branch}/search', function (Request $request, $repo, $branch = '') use ($app) {
|
||||
@@ -89,6 +90,7 @@ class CommitController implements ControllerProviderInterface
|
||||
));
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('branch', $app['util.routing']->getBranchRegex())
|
||||
->convert('branch', 'escaper.argument:escape')
|
||||
->bind('searchcommits');
|
||||
|
||||
$route->get('{repo}/commit/{commit}', function ($repo, $commit) use ($app) {
|
||||
@@ -125,6 +127,7 @@ class CommitController implements ControllerProviderInterface
|
||||
));
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->bind('blame');
|
||||
|
||||
return $route;
|
||||
|
||||
@@ -48,6 +48,7 @@ class MainController implements ControllerProviderInterface
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('branch', $app['util.routing']->getBranchRegex())
|
||||
->value('branch', null)
|
||||
->convert('branch', 'escaper.argument:escape')
|
||||
->bind('stats');
|
||||
|
||||
$route->get('{repo}/{branch}/rss/', function($repo, $branch) use ($app) {
|
||||
@@ -69,6 +70,7 @@ class MainController implements ControllerProviderInterface
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('branch', $app['util.routing']->getBranchRegex())
|
||||
->value('branch', null)
|
||||
->convert('branch', 'escaper.argument:escape')
|
||||
->bind('rss');
|
||||
|
||||
return $route;
|
||||
|
||||
@@ -55,7 +55,7 @@ class NetworkController implements ControllerProviderInterface
|
||||
}
|
||||
|
||||
$nextPageUrl = null;
|
||||
|
||||
|
||||
if ($pager['last'] !== $pager['current']) {
|
||||
$nextPageUrl = $app['url_generator']->generate(
|
||||
'networkData',
|
||||
@@ -66,10 +66,10 @@ class NetworkController implements ControllerProviderInterface
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
// when no commits are given, return an empty response - issue #369
|
||||
if( count($commits) === 0 ) {
|
||||
return $app->json( array(
|
||||
return $app->json( array(
|
||||
'repo' => $repo,
|
||||
'commitishPath' => $commitishPath,
|
||||
'nextPage' => null,
|
||||
@@ -91,6 +91,7 @@ class NetworkController implements ControllerProviderInterface
|
||||
)->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
|
||||
->value('commitishPath', null)
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->assert('page', '\d+')
|
||||
->value('page', '0')
|
||||
->bind('networkData');
|
||||
@@ -119,6 +120,7 @@ class NetworkController implements ControllerProviderInterface
|
||||
)->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
|
||||
->value('commitishPath', null)
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->bind('network');
|
||||
|
||||
return $route;
|
||||
|
||||
@@ -45,6 +45,7 @@ class TreeController implements ControllerProviderInterface
|
||||
));
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('commitishPath', $app['util.routing']->getCommitishPathRegex())
|
||||
->convert('commitishPath', 'escaper.argument:escape')
|
||||
->bind('tree');
|
||||
|
||||
$route->post('{repo}/tree/{branch}/search', function (Request $request, $repo, $branch = '', $tree = '') use ($app) {
|
||||
@@ -69,6 +70,7 @@ class TreeController implements ControllerProviderInterface
|
||||
));
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('branch', $app['util.routing']->getBranchRegex())
|
||||
->convert('branch', 'escaper.argument:escape')
|
||||
->bind('search');
|
||||
|
||||
$route->get('{repo}/{format}ball/{branch}', function($repo, $format, $branch) use ($app) {
|
||||
@@ -95,6 +97,7 @@ class TreeController implements ControllerProviderInterface
|
||||
})->assert('format', '(zip|tar)')
|
||||
->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('branch', $app['util.routing']->getBranchRegex())
|
||||
->convert('branch', 'escaper.argument:escape')
|
||||
->bind('archive');
|
||||
|
||||
|
||||
@@ -102,6 +105,7 @@ class TreeController implements ControllerProviderInterface
|
||||
return $treeController($repo, $branch);
|
||||
})->assert('repo', $app['util.routing']->getRepositoryRegex())
|
||||
->assert('branch', $app['util.routing']->getBranchRegex())
|
||||
->convert('branch', 'escaper.argument:escape')
|
||||
->bind('branch');
|
||||
|
||||
$route->get('{repo}/', function($repo) use ($app, $treeController) {
|
||||
|
||||
15
src/GitList/Escaper/ArgumentEscaper.php
Normal file
15
src/GitList/Escaper/ArgumentEscaper.php
Normal file
@@ -0,0 +1,15 @@
|
||||
<?php
|
||||
|
||||
namespace GitList\Escaper;
|
||||
|
||||
class ArgumentEscaper
|
||||
{
|
||||
public function escape($argument)
|
||||
{
|
||||
if ($argument === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return escapeshellcmd($argument);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user