Re: [PATCH] gitweb: Consolidate escaping/validation of query string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear diary, on Sun, Sep 24, 2006 at 12:36:13AM CEST, I got a letter
where Jakub Narebski <jnareb@xxxxxxxxx> said that...
> Petr Baudis wrote:
> > (click on the funny =__ify file)
> 
> Aaargh? Why this name?

You tell me... ;-)

> > I have also made esc_param() escape [?=&;]. Not escaping [&;] was downright
> > buggy and [?=] just feels better escaped. ;-) YMMV.
..snip..
> I'd rather have new esc_param() or esc_param_value() quote like escape
> subroutine from CGI::Util, with the esception of _not_ escaping '/'
> (it makes funny bookmark, and lot less readable query string), and rename
> current esc_param() to esc_query_string() or esc_params().

Huh, well, what's the point with the rename and why not keep it as it is
with just removing the four characters above? Escaped stuff looks ugly
in a URL. ;-)

BTW, looking at CGI::Util innards, what sick mind serves CGIs from an
EBCDIC machine?

> Perhaps we should have also esc_arg() for things like title attribute
> of <a> (link) element (or other element)

Yes. I wanted to implement your few months old wish to have full string
of abbreviated column contents in title attributes but delayed it for
now because we have no such function yet.

> and filename="..." part of Content-disposition: HTTP header.

This is not HTML-ish so you need quotemeta() here, using entities makes
no sense in this case.

> By the way, the validate_input() should be split into separate subroutines:
> validate_ref() for validating hash, hash_base, hash_parent, hash_parent_base,
> and validate_path() for validating project,

Yes, that would be nice.

> file_name and file_parent parameters.

What's the point in validating those?

> We should _never_ use esc_html except during the output, or just before output.
> It certainly shouldn't take place in parse_* subroutine (or in the fake parse
> like in git_blobdiff)!

Yes, I agree. Will send a fixed patch.

-- 
				Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]