[whimsy] branch master updated: Replace untaint with checks

Sun, 04 Oct 2020 04:23:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new 4a21771  Replace untaint with checks
4a21771 is described below

commit 4a21771d6071d055d80b0cdf763ecd7c78a4e97e
Author: Sebb <[email protected]>
AuthorDate: Sun Oct 4 12:22:51 2020 +0100

    Replace untaint with checks
---
 www/secretary/workbench/views/actions/icla2.json.rb  | 4 +++-
 www/secretary/workbench/views/actions/memapp.json.rb | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/secretary/workbench/views/actions/icla2.json.rb 
b/www/secretary/workbench/views/actions/icla2.json.rb
index ef656e5..e432584 100644
--- a/www/secretary/workbench/views/actions/icla2.json.rb
+++ b/www/secretary/workbench/views/actions/icla2.json.rb
@@ -22,7 +22,9 @@ _personalize_email(env.user)
 #                        move existing document                        #
 ########################################################################
 
[email protected] if @filename =~ /\A\w[-.\w]*\z/
+unless @filename =~ /\A\w[-.\w]*\z/
+  _warn "Unexpected characters in @{filename}"
+end
 
 if @email.strip.end_with? '@apache.org'
   _warn "Cannot redirect email to an @apache.org address: #{@email.strip}"
diff --git a/www/secretary/workbench/views/actions/memapp.json.rb 
b/www/secretary/workbench/views/actions/memapp.json.rb
index b8f19fa..c5e6157 100644
--- a/www/secretary/workbench/views/actions/memapp.json.rb
+++ b/www/secretary/workbench/views/actions/memapp.json.rb
@@ -23,6 +23,8 @@ else
   _warn "Invalid filename or extension"
 end
 
+_warn "Invalid availid #{@availid}" unless @availid =~ /^\w[-.\w]+$/
+
 # obtain per-user information
 _personalize_email(env.user)
 
@@ -133,7 +135,6 @@ task "subscribe to [email protected]" do
   complete do |dir|
     # determine file name
     fn = "#{@availid}-members-#{Time.now.strftime '%Y%m%d-%H%M%S-%L'}.json"
-    fn.untaint if @availid =~ /^\w[-.\w]+$/
 
     rc = ASF::SVN.create_(ASF::SVN.svnurl!('subreq'), fn, @subreq, @document, 
env, _)
     raise RuntimeError.new("exit code: #{rc}") if rc != 0

Reply via email to