diff options
author | Eric Wong <e@80x24.org> | 2019-06-04 09:02:01 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2019-06-04 10:06:18 +0000 |
commit | bb64c28a4a2688171b7625e99ed72dd51a5ee074 (patch) | |
tree | 284f707597ede40d01d9cc3df8b81735f0927825 /lib/PublicInbox/WWW.pm | |
parent | c5621af43e9c7cb1ff0565aa61a1d8fced55a23b (diff) | |
download | public-inbox-bb64c28a4a2688171b7625e99ed72dd51a5ee074.tar.gz |
Our Hval::to_filename sub has always been strict about emitting ASCII-only characters for ViewVCS "raw" links. However, somebody could manually generate a filename with non-ASCII words for somebody else to download (we have no cheap and fast way of mapping filenames back to blobs for validation).
Diffstat (limited to 'lib/PublicInbox/WWW.pm')
-rw-r--r-- | lib/PublicInbox/WWW.pm | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm index 50b6950c..7670224f 100644 --- a/lib/PublicInbox/WWW.pm +++ b/lib/PublicInbox/WWW.pm @@ -127,7 +127,8 @@ sub call { get_css($ctx, $1, $2); } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/\z!o) { get_vcs_object($ctx, $1, $2); - } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/([\w\.\-]+)\z!o) { + } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/ + ($PublicInbox::Hval::FN)\z!ox) { get_vcs_object($ctx, $1, $2, $3); } elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s\z!o) { r301($ctx, $1, $2, 's/'); |