This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new 4a21771 Replace untaint with checks
4a21771 is described below
commit 4a21771d6071d055d80b0cdf763ecd7c78a4e97e
Author: Sebb <[email protected]>
AuthorDate: Sun Oct 4 12:22:51 2020 +0100
Replace untaint with checks
---
www/secretary/workbench/views/actions/icla2.json.rb | 4 +++-
www/secretary/workbench/views/actions/memapp.json.rb | 3 ++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/www/secretary/workbench/views/actions/icla2.json.rb
b/www/secretary/workbench/views/actions/icla2.json.rb
index ef656e5..e432584 100644
--- a/www/secretary/workbench/views/actions/icla2.json.rb
+++ b/www/secretary/workbench/views/actions/icla2.json.rb
@@ -22,7 +22,9 @@ _personalize_email(env.user)
# move existing document #
########################################################################
[email protected] if @filename =~ /\A\w[-.\w]*\z/
+unless @filename =~ /\A\w[-.\w]*\z/
+ _warn "Unexpected characters in @{filename}"
+end
if @email.strip.end_with? '@apache.org'
_warn "Cannot redirect email to an @apache.org address: #{@email.strip}"
diff --git a/www/secretary/workbench/views/actions/memapp.json.rb
b/www/secretary/workbench/views/actions/memapp.json.rb
index b8f19fa..c5e6157 100644
--- a/www/secretary/workbench/views/actions/memapp.json.rb
+++ b/www/secretary/workbench/views/actions/memapp.json.rb
@@ -23,6 +23,8 @@ else
_warn "Invalid filename or extension"
end
+_warn "Invalid availid #{@availid}" unless @availid =~ /^\w[-.\w]+$/
+
# obtain per-user information
_personalize_email(env.user)
@@ -133,7 +135,6 @@ task "subscribe to [email protected]" do
complete do |dir|
# determine file name
fn = "#{@availid}-members-#{Time.now.strftime '%Y%m%d-%H%M%S-%L'}.json"
- fn.untaint if @availid =~ /^\w[-.\w]+$/
rc = ASF::SVN.create_(ASF::SVN.svnurl!('subreq'), fn, @subreq, @document,
env, _)
raise RuntimeError.new("exit code: #{rc}") if rc != 0