shithub: git9

Download patch

ref: 3edd9c1f0e4e47a06f5e4f96ce30414804057ccd
parent: e155808edac6b6f867252e37972fa8bdcfadbebe
author: Ori Bernstein <[email protected]>
date: Wed Nov 25 17:36:05 EST 2020

gitls: escape or urlencode filenames

webls used to dump out the filenames directly into
html, instead of escaping this. This was fine for
security, since you needed to be authorized to push
to the repository, but funny filenames could have
broken the output.

This change urlencodes the urls, and htcats the
filenames.

--- a/extra/gitls
+++ b/extra/gitls
@@ -102,8 +102,11 @@
 	echo '</pre>'
 	echo '<p><a href='/git/$repo/$hash/f.html'>files</a>'
 	echo '<pre id="code">'
-	for(f in `$nl{ls})
-		echo '<a href="'$f'/f.html">'$f'</a>'
+	for(f in `$nl{ls}){
+		url=`$nl{echo -n $f/f.html | urlencode}
+		fname=`$nl{echo -n $f | htcat}
+		echo '<a href="'$url'">'$fname'</a>'
+	}		
 	echo '</pre>'
 	echo '<pre id="desc">'
 	if(test -f README)
@@ -143,8 +146,11 @@
 	}
 	if not if(test -d $file){
 		cd $file
-		for(f in `$nl{ls})
-			echo '<a href="'$f'/f.html">'$f'</a>'
+		for(f in `$nl{ls}){
+			url=`$nl{echo -n $f/f.html | urlencode}
+			fname=`$nl{echo -n $f | htcat}
+			echo '<a href="'$url'">'$fname'</a>'
+		}
 	}
 	echo '</pre>'
 	}