From: James Moger Date: Mon, 22 Oct 2012 12:55:44 +0000 (-0400) Subject: Ensure illegal repository names are rejected in create-on-push X-Git-Tag: v1.2.0~144 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=3e44b65e329c199f95488f9429c1a20362c70b4d;p=gitblit.git Ensure illegal repository names are rejected in create-on-push --- diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java index c09b0d20..8ff93b4e 100644 --- a/src/com/gitblit/GitFilter.java +++ b/src/com/gitblit/GitFilter.java @@ -197,6 +197,24 @@ public class GitFilter extends AccessRestrictionFilter { if (isPush) { if (user.canCreateOnPush(repository)) { // user is pushing to a new repository + // validate name + if (repository.startsWith("../")) { + logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository)); + return null; + } + if (repository.contains("/../")) { + logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository)); + return null; + } + + // confirm valid characters in repository name + Character c = StringUtils.findInvalidCharacter(repository); + if (c != null) { + logger.error(MessageFormat.format("Invalid character '{0}' in repository name {1}!", c, repository)); + return null; + } + + // create repository RepositoryModel model = new RepositoryModel(); model.name = repository; model.owner = user.username; @@ -213,11 +231,11 @@ public class GitFilter extends AccessRestrictionFilter { // create the repository try { - GitBlit.self().updateRepositoryModel(repository, model, true); - logger.info(MessageFormat.format("{0} created {1} ON-PUSH", user.username, repository)); - return GitBlit.self().getRepositoryModel(repository); + GitBlit.self().updateRepositoryModel(model.name, model, true); + logger.info(MessageFormat.format("{0} created {1} ON-PUSH", user.username, model.name)); + return GitBlit.self().getRepositoryModel(model.name); } catch (GitBlitException e) { - logger.error(MessageFormat.format("{0} failed to create repository {1} ON-PUSH!", user.username, repository), e); + logger.error(MessageFormat.format("{0} failed to create repository {1} ON-PUSH!", user.username, model.name), e); } } else { logger.warn(MessageFormat.format("{0} is not permitted to create repository {1} ON-PUSH!", user.username, repository));