From: Jean-Philippe Lang Date: Sat, 18 Dec 2010 18:37:49 +0000 (+0000) Subject: Restore rev param validation that was removed in r2840. X-Git-Tag: 1.1.0~59 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=84dd413f22b9a3900ceaa33d63758f285908ecb1;p=redmine.git Restore rev param validation that was removed in r2840. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4542 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index b6dcc3173..03fb69bd6 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -196,7 +196,10 @@ class RepositoriesController < ApplicationController end end -private + private + + REV_PARAM_RE = %r{^[a-f0-9]*$}i + def find_repository @project = Project.find(params[:id]) @repository = @project.repository @@ -205,6 +208,12 @@ private @path ||= '' @rev = params[:rev].blank? ? @repository.default_branch : params[:rev].strip @rev_to = params[:rev_to] + + unless @rev.to_s.match(REV_PARAM_RE) && @rev.to_s.match(REV_PARAM_RE) + if @repository.branches.blank? + raise InvalidRevisionParam + end + end rescue ActiveRecord::RecordNotFound render_404 rescue InvalidRevisionParam diff --git a/test/functional/repositories_subversion_controller_test.rb b/test/functional/repositories_subversion_controller_test.rb index b4ad377f7..5a554b9fc 100644 --- a/test/functional/repositories_subversion_controller_test.rb +++ b/test/functional/repositories_subversion_controller_test.rb @@ -166,6 +166,12 @@ class RepositoriesSubversionControllerTest < ActionController::TestCase } end + def test_invalid_revision + get :revision, :id => 1, :rev => 'something_weird' + assert_response 500 + assert_error_tag :content => /was not found/ + end + def test_revision_with_repository_pointing_to_a_subdirectory r = Project.find(1).repository # Changes repository url to a subdirectory