diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-07-03 10:32:31 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-07-04 11:25:37 +0200 |
commit | b113764b0bdf98b7d1d643eb2f55c50988f31deb (patch) | |
tree | 29c8b3166a8532618ee09cbc8e6ebc261322c797 /web/lib | |
parent | 87215cef000b2a49b31b14a759050db834b3497b (diff) | |
download | aur-b113764b0bdf98b7d1d643eb2f55c50988f31deb.tar.gz aur-b113764b0bdf98b7d1d643eb2f55c50988f31deb.tar.xz |
Sanitize merge base name in pkgreq_file()
Move the check introduced in 06b7099 (Validate package base name when
filing requests, 2014-07-02) from pkgbase.php to pkgreq_file().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib')
-rw-r--r-- | web/lib/pkgreqfuncs.inc.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 53cf328f..76780fe1 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -72,6 +72,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_LOCATION; global $AUR_REQUEST_ML; + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + return array(false, __("Invalid name: only lowercase letters are allowed.")); + } + if (empty($comments)) { return array(false, __("The comment field must not be empty.")); } |