Verify rev and rev_to params format in RepositoriesController. And turn revision...

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1324 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 10c235d6535bf48bb8bc535e2e92b32ce6ca4f06..9b59b51ec1eeb26383d81a24ab0fb0fa89fcdec1 100644 (file)
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -19,8 +19,8 @@ require 'SVG/Graph/Bar'
 require 'SVG/Graph/BarHorizontal'
 require 'digest/sha1'
 
-class ChangesetNotFound < Exception
-end
+class ChangesetNotFound < Exception; end
+class InvalidRevisionParam < Exception; end
 
 class RepositoriesController < ApplicationController
   layout 'base'
@@ -135,7 +135,6 @@ class RepositoriesController < ApplicationController
   end
   
   def diff
-    @rev_to = params[:rev_to]
     @diff_type = params[:type] || User.current.pref[:diff_type] || 'inline'
     @diff_type = 'inline' unless %w(inline sbs).include?(@diff_type)
     
@@ -180,6 +179,8 @@ private
     render_404
   end
   
+  REV_PARAM_RE = %r{^[a-f0-9]*$}
+  
   def find_repository
     @project = Project.find(params[:id])
     @repository = @project.repository
@@ -187,8 +188,12 @@ private
     @path = params[:path].join('/') unless params[:path].nil?
     @path ||= ''
     @rev = params[:rev]
+    @rev_to = params[:rev_to]
+    raise InvalidRevisionParam unless @rev.to_s.match(REV_PARAM_RE) && @rev.to_s.match(REV_PARAM_RE)
   rescue ActiveRecord::RecordNotFound
     render_404
+  rescue InvalidRevisionParam
+    show_error_not_found
   end
 
   def show_error_not_found

diff --git a/lib/redmine/scm/adapters/subversion_adapter.rb b/lib/redmine/scm/adapters/subversion_adapter.rb
index 1e0320e2ca506a86f79713c8690d9d3821f6dd31..efbd3ba8e174e6559d22ff4126a1023688b97527 100644 (file)
--- a/lib/redmine/scm/adapters/subversion_adapter.rb
+++ b/lib/redmine/scm/adapters/subversion_adapter.rb
@@ -62,7 +62,7 @@ module Redmine
         # or nil if the given path doesn't exist in the repository\r
         def entries(path=nil, identifier=nil)\r
           path ||= ''\r
-          identifier = 'HEAD' unless identifier and identifier > 0\r
+          identifier = (identifier and identifier.to_i > 0) ? identifier.to_i : "HEAD"\r
           entries = Entries.new\r
           cmd = "#{SVN_BIN} list --xml #{target(path)}@#{identifier}"\r
           cmd << credentials_string\r
@@ -94,8 +94,8 @@ module Redmine
     \r
         def revisions(path=nil, identifier_from=nil, identifier_to=nil, options={})\r
           path ||= ''\r
-          identifier_from = 'HEAD' unless identifier_from and identifier_from.to_i > 0\r
-          identifier_to = 1 unless identifier_to and identifier_to.to_i > 0\r
+          identifier_from = (identifier_from and identifier_from.to_i > 0) ? identifier_from.to_i : "HEAD"\r
+          identifier_to = (identifier_to and identifier_to.to_i > 0) ? identifier_to.to_i : 1\r
           revisions = Revisions.new\r
           cmd = "#{SVN_BIN} log --xml -r #{identifier_from}:#{identifier_to}"\r
           cmd << credentials_string\r
@@ -131,11 +131,9 @@ module Redmine
         \r
         def diff(path, identifier_from, identifier_to=nil, type="inline")\r
           path ||= ''\r
-          if identifier_to and identifier_to.to_i > 0\r
-            identifier_to = identifier_to.to_i \r
-          else\r
-            identifier_to = identifier_from.to_i - 1\r
-          end\r
+          identifier_from = (identifier_from and identifier_from.to_i > 0) ? identifier_from.to_i : ''\r
+          identifier_to = (identifier_to and identifier_to.to_i > 0) ? identifier_to.to_i : (identifier_from.to_i - 1)\r
+          \r
           cmd = "#{SVN_BIN} diff -r "\r
           cmd << "#{identifier_to}:"\r
           cmd << "#{identifier_from}"\r