diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-07-03 10:32:31 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-07-04 11:25:37 +0200 |
commit | b113764b0bdf98b7d1d643eb2f55c50988f31deb (patch) | |
tree | 29c8b3166a8532618ee09cbc8e6ebc261322c797 | |
parent | 87215cef000b2a49b31b14a759050db834b3497b (diff) | |
download | aurweb-b113764b0bdf98b7d1d643eb2f55c50988f31deb.tar.xz |
Sanitize merge base name in pkgreq_file()
Move the check introduced in 06b7099 (Validate package base name when
filing requests, 2014-07-02) from pkgbase.php to pkgreq_file().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/html/pkgbase.php | 7 | ||||
-rw-r--r-- | web/lib/pkgreqfuncs.inc.php | 4 |
2 files changed, 5 insertions, 6 deletions
diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php index 9725db7..cf2b774 100644 --- a/web/html/pkgbase.php +++ b/web/html/pkgbase.php @@ -98,12 +98,7 @@ if (check_token()) { } elseif (current_action("do_ChangeCategory")) { list($ret, $output) = pkgbase_change_category($base_id, $atype); } elseif (current_action("do_FileRequest")) { - if (empty($_POST['merge_into']) || preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $_POST['merge_into'])) { - list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']); - } else { - $output = __("Invalid name: only lowercase letters are allowed."); - $ret = false; - } + list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']); } elseif (current_action("do_CloseRequest")) { list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']); } diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 53cf328..76780fe 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -72,6 +72,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_LOCATION; global $AUR_REQUEST_ML; + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + return array(false, __("Invalid name: only lowercase letters are allowed.")); + } + if (empty($comments)) { return array(false, __("The comment field must not be empty.")); } |