This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new 424d5b0 Need to check entire filename+extension, not just part of it
424d5b0 is described below
commit 424d5b0298f279558a5d94fca2e9ea93b8c9bf18
Author: Sebb <[email protected]>
AuthorDate: Tue Nov 26 11:59:23 2019 +0000
Need to check entire filename+extension, not just part of it
---
www/secretary/workbench/views/actions/memapp.json.rb | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/www/secretary/workbench/views/actions/memapp.json.rb
b/www/secretary/workbench/views/actions/memapp.json.rb
index 8329626..39c8ffc 100644
--- a/www/secretary/workbench/views/actions/memapp.json.rb
+++ b/www/secretary/workbench/views/actions/memapp.json.rb
@@ -12,12 +12,14 @@ message = Mailbox.find(@message)
# extract file extension
fileext = File.extname(@selected).downcase if @signature.empty?
-# verify that a membership form under that name doesn't already exist
-if "#@filename#{fileext}" =~ /\w[-\w]*\.?\w*/
+# verify that a membership form under that name stem doesn't already exist
+if "#@filename#{fileext}" =~ /^\w[-\w]*\.?\w*$/ # check taint requirements
form = "#{ASF::SVN['member_apps']}/#@filename#{fileext}"
if File.exist? form.untaint
_warn "documents/member_apps/#@filename#{fileext} already exists"
end
+else
+ _warn "Invalid filename or extension"
end
# obtain per-user information
