ref: 3edd9c1f0e4e47a06f5e4f96ce30414804057ccd
parent: e155808edac6b6f867252e37972fa8bdcfadbebe
author: Ori Bernstein <[email protected]>
date: Wed Nov 25 17:36:05 EST 2020
gitls: escape or urlencode filenames webls used to dump out the filenames directly into html, instead of escaping this. This was fine for security, since you needed to be authorized to push to the repository, but funny filenames could have broken the output. This change urlencodes the urls, and htcats the filenames.
--- a/extra/gitls
+++ b/extra/gitls
@@ -102,8 +102,11 @@
echo '</pre>'
echo '<p><a href='/git/$repo/$hash/f.html'>files</a>'
echo '<pre id="code">'
- for(f in `$nl{ls})
- echo '<a href="'$f'/f.html">'$f'</a>'
+ for(f in `$nl{ls}){
+ url=`$nl{echo -n $f/f.html | urlencode}
+ fname=`$nl{echo -n $f | htcat}
+ echo '<a href="'$url'">'$fname'</a>'
+ }
echo '</pre>'
echo '<pre id="desc">'
if(test -f README)
@@ -143,8 +146,11 @@
}
if not if(test -d $file){
cd $file
- for(f in `$nl{ls})
- echo '<a href="'$f'/f.html">'$f'</a>'
+ for(f in `$nl{ls}){
+ url=`$nl{echo -n $f/f.html | urlencode}
+ fname=`$nl{echo -n $f | htcat}
+ echo '<a href="'$url'">'$fname'</a>'
+ }
}
echo '</pre>'
}