about summary refs log tree commit homepage
path: root/lib/PublicInbox/WWW.pm
diff options
context:
space:
mode:
authorEric Wong <e@80x24.org>2019-06-04 09:02:01 +0000
committerEric Wong <e@80x24.org>2019-06-04 10:06:18 +0000
commitbb64c28a4a2688171b7625e99ed72dd51a5ee074 (patch)
tree284f707597ede40d01d9cc3df8b81735f0927825 /lib/PublicInbox/WWW.pm
parentc5621af43e9c7cb1ff0565aa61a1d8fced55a23b (diff)
downloadpublic-inbox-bb64c28a4a2688171b7625e99ed72dd51a5ee074.tar.gz
Our Hval::to_filename sub has always been strict about emitting
ASCII-only characters for ViewVCS "raw" links.

However, somebody could manually generate a filename with
non-ASCII words for somebody else to download (we have no
cheap and fast way of mapping filenames back to blobs for
validation).
Diffstat (limited to 'lib/PublicInbox/WWW.pm')
-rw-r--r--lib/PublicInbox/WWW.pm3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index 50b6950c..7670224f 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -127,7 +127,8 @@ sub call {
                 get_css($ctx, $1, $2);
         } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/\z!o) {
                 get_vcs_object($ctx, $1, $2);
-        } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/([\w\.\-]+)\z!o) {
+        } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/
+                                ($PublicInbox::Hval::FN)\z!ox) {
                 get_vcs_object($ctx, $1, $2, $3);
         } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s\z!o) {
                 r301($ctx, $1, $2, 's/');