summaryrefslogtreecommitdiffstats
path: root/web/lib
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2014-07-03 10:32:31 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2014-07-04 11:25:37 +0200
commitb113764b0bdf98b7d1d643eb2f55c50988f31deb (patch)
tree29c8b3166a8532618ee09cbc8e6ebc261322c797 /web/lib
parent87215cef000b2a49b31b14a759050db834b3497b (diff)
downloadaur-b113764b0bdf98b7d1d643eb2f55c50988f31deb.tar.gz
aur-b113764b0bdf98b7d1d643eb2f55c50988f31deb.tar.xz
Sanitize merge base name in pkgreq_file()
Move the check introduced in 06b7099 (Validate package base name when filing requests, 2014-07-02) from pkgbase.php to pkgreq_file(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib')
-rw-r--r--web/lib/pkgreqfuncs.inc.php4
1 files changed, 4 insertions, 0 deletions
diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php
index 53cf328f..76780fe1 100644
--- a/web/lib/pkgreqfuncs.inc.php
+++ b/web/lib/pkgreqfuncs.inc.php
@@ -72,6 +72,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) {
global $AUR_LOCATION;
global $AUR_REQUEST_ML;
+ if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) {
+ return array(false, __("Invalid name: only lowercase letters are allowed."));
+ }
+
if (empty($comments)) {
return array(false, __("The comment field must not be empty."));
}