Make sure that the target of a merge operation is either empty or an existing package base name. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/pkgreqfuncs.inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 5b86eaa..41d1515 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -95,6 +95,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } + if (!empty($merge_into) && !pkgbase_from_name($merge_into)) { + return array(false, __("Cannot find package to merge votes and comments into.")); + } + if (empty($comments)) { return array(false, __("The comment field must not be empty.")); } -- 2.0.2