måndag 05 januari 2009 03:46:22 skrev Shawn O. Pearce:
> The earlier restriction was too narrow for some applications, for
> example repositories named "jgit.dev" and "jgit.test" are perfectly
> valid Git repositories and should still be able to be served by
> the daemon.
>
> By blocking out only uses of ".." as a path component and Windows
> UNC paths (by blocking "\") we can reasonably prevent the client
> from escaping the base dirctories configured in the daemon.
>
> + if (name.startsWith("../") || name.contains("/../")
> + || name.contains("\\"))
//host/share also works as UNC path (even the DOS commands support it, provided
you quote the paths) and if you block // shuldn't '/', and '[A-Z]:' also be blocked?
\\ is a UNC-prefix only at the beginning of a path so if / need not be filtered, nor
does //. Inside a path \\ is the same as \ AFAIK (except directly after the drive letter.
This should probablybe factored out into a utilty so we can have a simple unit test for it.
-- robin
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
