diff options
author | Jakub Narebski <jnareb@gmail.com> | 2012-03-02 23:34:24 +0100 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2012-03-06 14:48:24 -0800 |
commit | e65ceb61cd7d3fabedea8cb545f8c210b48552d4 (patch) | |
tree | e672ccbb098ca1356b7db83d53aca9dce859ecc0 /gitweb | |
parent | f174a2583c9f42315b60205890fa67a79a1f1669 (diff) | |
download | git-e65ceb61cd7d3fabedea8cb545f8c210b48552d4.tar.gz |
gitweb: Fix fixed string (non-regexp) project searchjn/maint-do-not-match-with-unsanitized-searchtext
Use $search_regexp, where regex metacharacters are quoted, for
searching projects list, rather than $searchtext, which contains
original search term.
Reported-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gitweb')
-rwxr-xr-x | gitweb/gitweb.perl | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 50a835a5bf..a7e0d8f688 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -2905,10 +2905,10 @@ sub filter_forks_from_projects_list { sub search_projects_list { my ($projlist, %opts) = @_; my $tagfilter = $opts{'tagfilter'}; - my $searchtext = $opts{'searchtext'}; + my $search_re = $opts{'search_regexp'}; return @$projlist - unless ($tagfilter || $searchtext); + unless ($tagfilter || $search_re); my @projects; PROJECT: @@ -2920,10 +2920,10 @@ sub search_projects_list { grep { lc($_) eq lc($tagfilter) } keys %{$pr->{'ctags'}}; } - if ($searchtext) { + if ($search_re) { next unless - $pr->{'path'} =~ /$searchtext/ || - $pr->{'descr_long'} =~ /$searchtext/; + $pr->{'path'} =~ /$search_re/ || + $pr->{'descr_long'} =~ /$search_re/; } push @projects, $pr; @@ -5089,7 +5089,7 @@ sub git_project_list_body { my $show_ctags = gitweb_check_feature('ctags'); my $tagfilter = $show_ctags ? $cgi->param('by_tag') : undef; $check_forks = undef - if ($tagfilter || $searchtext); + if ($tagfilter || $search_regexp); # filtering out forks before filling info allows to do less work @projects = filter_forks_from_projects_list(\@projects) @@ -5097,9 +5097,9 @@ sub git_project_list_body { @projects = fill_project_list_info(\@projects); # searching projects require filling to be run before it @projects = search_projects_list(\@projects, - 'searchtext' => $searchtext, + 'search_regexp' => $search_regexp, 'tagfilter' => $tagfilter) - if ($tagfilter || $searchtext); + if ($tagfilter || $search_regexp); $order ||= $default_projects_order; $from = 0 unless defined $from; |