If the repo url or the user email contain XML special characters, the
remote DAV server is likely to reject the LOCK requests because the XML
is then malformed.
Signed-off-by: Mike Hommey <mh@xxxxxxxxxxxx>
---
http-push.c | 36 ++++++++++++++++++++++++++++++++++--
1 files changed, 34 insertions(+), 2 deletions(-)
Note I haven't tested more than with a quick run of t5540-http-push.sh.
Also note that this doesn't solve possible problems with non UTF-8
characters in both strings we escape here. (a DAV server may rightfully
reject XML containing non UTF-8 characters, since this XML is supposed
to be UTF-8 according to its prolog, and would thus be malformed)
diff --git a/http-push.c b/http-push.c
index feeb340..29e6b6b 100644
--- a/http-push.c
+++ b/http-push.c
@@ -186,6 +186,32 @@ enum dav_header_flag {
DAV_HEADER_TIMEOUT = (1u << 2)
};
+static char *xml_entities(char *s)
+{
+ struct strbuf buf = STRBUF_INIT;
+ while (*s) {
+ size_t len = strcspn(s, "\"<>&");
+ strbuf_add(&buf, s, len);
+ s += len;
+ switch (*s) {
+ case '"':
+ strbuf_addstr(&buf, """);
+ break;
+ case '<':
+ strbuf_addstr(&buf, "<");
+ break;
+ case '>':
+ strbuf_addstr(&buf, ">");
+ break;
+ case '&':
+ strbuf_addstr(&buf, "&");
+ break;
+ }
+ s++;
+ }
+ return buf.buf;
+}
+
static struct curl_slist *get_dav_token_headers(struct remote_lock *lock, enum dav_header_flag options)
{
struct strbuf buf = STRBUF_INIT;
@@ -1225,6 +1251,7 @@ static struct remote_lock *lock_remote(const char *path, long timeout)
struct remote_lock *lock = NULL;
struct curl_slist *dav_headers = NULL;
struct xml_ctx ctx;
+ char *escaped;
url = xmalloc(strlen(repo->url) + strlen(path) + 1);
sprintf(url, "%s%s", repo->url, path);
@@ -1259,7 +1286,9 @@ static struct remote_lock *lock_remote(const char *path, long timeout)
ep = strchr(ep + 1, '/');
}
- strbuf_addf(&out_buffer.buf, LOCK_REQUEST, git_default_email);
+ escaped = xml_entities(git_default_email);
+ strbuf_addf(&out_buffer.buf, LOCK_REQUEST, escaped);
+ free(escaped);
sprintf(timeout_header, "Timeout: Second-%ld", timeout);
dav_headers = curl_slist_append(dav_headers, timeout_header);
@@ -1584,8 +1613,11 @@ static int locking_available(void)
struct curl_slist *dav_headers = NULL;
struct xml_ctx ctx;
int lock_flags = 0;
+ char *escaped;
- strbuf_addf(&out_buffer.buf, PROPFIND_SUPPORTEDLOCK_REQUEST, repo->url);
+ escaped = xml_entities(repo->url);
+ strbuf_addf(&out_buffer.buf, PROPFIND_SUPPORTEDLOCK_REQUEST, escaped);
+ free(escaped);
dav_headers = curl_slist_append(dav_headers, "Depth: 0");
dav_headers = curl_slist_append(dav_headers, "Content-Type: text/xml");
--
1.6.2.1
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html