[stgit PATCH] commands.{new,rename}: verify patch names

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Don't allow patches with invalid names.  For example, a patch with a
slash in the name will cause the underlying git command to fail, and
stgit doesn't handle this error condition properly.
---
 stgit/commands/new.py    |    3 +++
 stgit/commands/rename.py |    3 +++
 stgit/utils.py           |    6 ++++++
 3 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/stgit/commands/new.py b/stgit/commands/new.py
index d5c5382..6bd7314 100644
--- a/stgit/commands/new.py
+++ b/stgit/commands/new.py
@@ -61,6 +61,9 @@ def func(parser, options, args):
         name = args[0]
         if stack.patches.exists(name):
             raise common.CmdException('%s: patch already exists' % name)
+
+        if not utils.check_patch_name(name):
+            raise common.CmdException('%s: invalid patch name' % name)
     else:
         parser.error('incorrect number of arguments')
 
diff --git a/stgit/commands/rename.py b/stgit/commands/rename.py
index db898cb..7c229be 100644
--- a/stgit/commands/rename.py
+++ b/stgit/commands/rename.py
@@ -51,6 +51,9 @@ def func(parser, options, args):
     else:
         parser.error('incorrect number of arguments')
 
+    if not check_patch_name(new):
+        raise CmdException('%s: invalid patch name' % new)
+
     out.start('Renaming patch "%s" to "%s"' % (old, new))
     crt_series.rename_patch(old, new)
 
diff --git a/stgit/utils.py b/stgit/utils.py
index 2955adf..a41457b 100644
--- a/stgit/utils.py
+++ b/stgit/utils.py
@@ -241,6 +241,12 @@ def make_patch_name(msg, unacceptable, default_name = 'patch'):
         patchname = default_name
     return find_patch_name(patchname, unacceptable)
 
+def check_patch_name(name):
+    """Checks if the specified name is a valid patch name. For
+    technical reasons, we cannot allow a slash and other characters."""
+    return len(name) > 0 and name[0] not in '.-' and '/' not in name and \
+           '..' not in name and re.search(r'[\x00-\x20]', name) is None
+
 # any and all functions are builtin in Python 2.5 and higher, but not
 # in 2.4.
 if not 'any' in dir(__builtins__):

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]