From: James Moger <james.moger@gitblit.com>
Date: Mon, 22 Oct 2012 12:55:44 +0000 (-0400)
Subject: Ensure illegal repository names are rejected in create-on-push
X-Git-Tag: v1.2.0~144
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=3e44b65e329c199f95488f9429c1a20362c70b4d;p=gitblit.git

Ensure illegal repository names are rejected in create-on-push
---

diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java
index c09b0d20..8ff93b4e 100644
--- a/src/com/gitblit/GitFilter.java
+++ b/src/com/gitblit/GitFilter.java
@@ -197,6 +197,24 @@ public class GitFilter extends AccessRestrictionFilter {
 		if (isPush) {
 			if (user.canCreateOnPush(repository)) {
 				// user is pushing to a new repository
+				// validate name
+				if (repository.startsWith("../")) {
+					logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository));
+					return null;
+				}
+				if (repository.contains("/../")) {
+					logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository));
+					return null;
+				}					
+
+				// confirm valid characters in repository name
+				Character c = StringUtils.findInvalidCharacter(repository);
+				if (c != null) {
+					logger.error(MessageFormat.format("Invalid character '{0}' in repository name {1}!", c, repository));
+					return null;
+				}
+
+				// create repository
 				RepositoryModel model = new RepositoryModel();
 				model.name = repository;
 				model.owner = user.username;
@@ -213,11 +231,11 @@ public class GitFilter extends AccessRestrictionFilter {
 
 				// create the repository
 				try {
-					GitBlit.self().updateRepositoryModel(repository, model, true);
-					logger.info(MessageFormat.format("{0} created {1} ON-PUSH", user.username, repository));
-					return GitBlit.self().getRepositoryModel(repository);
+					GitBlit.self().updateRepositoryModel(model.name, model, true);
+					logger.info(MessageFormat.format("{0} created {1} ON-PUSH", user.username, model.name));
+					return GitBlit.self().getRepositoryModel(model.name);
 				} catch (GitBlitException e) {
-					logger.error(MessageFormat.format("{0} failed to create repository {1} ON-PUSH!", user.username, repository), e);
+					logger.error(MessageFormat.format("{0} failed to create repository {1} ON-PUSH!", user.username, model.name), e);
 				}
 			} else {
 				logger.warn(MessageFormat.format("{0} is not permitted to create repository {1} ON-PUSH!", user.username, repository));