about summary refs log tree commit homepage
path: root/lib/PublicInbox/WWW.pm
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2019-06-04 10:19:34 +0000
committerEric Wong <e@80x24.org>2019-06-04 10:19:34 +0000
commit91af69a41f2963f1f952cb0932ed23cd86cd1093 (patch)
tree3aecb48b389197603a5feb8c39eb71dd2c86aba9 /lib/PublicInbox/WWW.pm
parentaedd4d6d205a4e9ae6d1d81fd011fb2f896be41b (diff)
downloadpublic-inbox-91af69a41f2963f1f952cb0932ed23cd86cd1093.tar.gz
Allowing admins to set non-ASCII CSS filenames could
cause unnecessary problems for client and proxies.
Diffstat (limited to 'lib/PublicInbox/WWW.pm')
-rw-r--r--lib/PublicInbox/WWW.pm8
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index f41f98ed..7ea98204 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -124,7 +124,7 @@ sub call {
                 r301($ctx, $1, $2);
         } elsif ($path_info =~ m!$INBOX_RE/_/text(?:/(.*))?\z!o) {
                 get_text($ctx, $1, $2);
-        } elsif ($path_info =~ m!$INBOX_RE/([\w\-\.]+)\.css\z!o) {
+        } elsif ($path_info =~ m!$INBOX_RE/([a-zA-Z0-9_\-\.]+)\.css\z!o) {
                 get_css($ctx, $1, $2);
         } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/\z!o) {
                 get_vcs_object($ctx, $1, $2);
@@ -536,11 +536,15 @@ sub stylesheets_prepare ($$) {
                         $inline_ok = 0;
                 } else {
                         my $fn = $_;
+                        my ($key) = (m!([^/]+?)(?:\.css)?\z!i);
+                        if ($key !~ /\A[a-zA-Z0-9_\-\.]+\z/) {
+                                warn "ignoring $fn, non-ASCII word character\n";
+                                next;
+                        }
                         open(my $fh, '<', $fn) or do {
                                 warn "failed to open $fn: $!\n";
                                 next;
                         };
-                        my ($key) = (m!([^/]+?)(?:\.css)?\z!i);
                         my $ctime = 0;
                         my $local = do { local $/; <$fh> };
                         if ($local =~ /\S/) {