This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new 051dea5 Add user validation
051dea5 is described below
commit 051dea52da1a1a5ec3b8ad2baf755286d6ba34c7
Author: Sebb <[email protected]>
AuthorDate: Tue Oct 6 17:40:03 2020 +0100
Add user validation
---
www/board/agenda/models/pending.rb | 5 ++++-
www/board/agenda/views/actions/commit.json.rb | 4 +++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/www/board/agenda/models/pending.rb
b/www/board/agenda/models/pending.rb
index f2b5b50..0422f07 100644
--- a/www/board/agenda/models/pending.rb
+++ b/www/board/agenda/models/pending.rb
@@ -1,7 +1,10 @@
class Pending
# determine the name of the work file associated with a given user
def self.work_file(user)
- "#{AGENDA_WORK}/#{user}.yml".untaint if user =~ /\A\w+\z/
+ # user ids may include '-'
+ raise ArgumentError, "Unexpected user id #{user}" unless user =~
/\A[-\w]+\z/
+
+ "#{AGENDA_WORK}/#{user}.yml"
end
# fetch and parse a work file
diff --git a/www/board/agenda/views/actions/commit.json.rb
b/www/board/agenda/views/actions/commit.json.rb
index 2413180..cacc45d 100644
--- a/www/board/agenda/views/actions/commit.json.rb
+++ b/www/board/agenda/views/actions/commit.json.rb
@@ -6,7 +6,9 @@ MAX_LINE = 79
INDENT = 13
user = env.user
-user = user.dup.untaint if user =~ /\A\w+\z/
+# user ids may include '-'
+raise ArgumentError, "Unexpected user id #{user}" unless user =~ /\A[-\w]+\z/
+
updates = YAML.load_file("#{AGENDA_WORK}/#{user}.yml")
agenda_file = updates['agenda']
