[aur-dev] [PATCH 1/2] pkgsubmit.php: Simplify package name validation
Remove redundant filters -- single quotes are already removed in $pkgbuild_new and we do not pass the package name to a shell (additionally, the regular expression already checks for potentially evil characters). Also, move the $pkg_name extraction up to fix the split package check. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/html/pkgsubmit.php | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index fefb31e..685d5cb 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -268,19 +268,13 @@ if ($uid): } } - # Now we've parsed the pkgbuild, let's move it to where it belongs - if (!$error && $pkg_name[0] == '(') { - $error = __("Error - The AUR does not support split packages!"); - } - + # Validate package name if (!$error) { - $pkg_name = str_replace("'", "", $new_pkgbuild['pkgname']); - $pkg_name = escapeshellarg($pkg_name); - $pkg_name = str_replace("'", "", $pkg_name); - - $presult = preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name); - - if (!$presult) { + $pkg_name = $new_pkgbuild['pkgname']; + if ($pkg_name[0] == '(') { + $error = __("Error - The AUR does not support split packages!"); + } + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name)) { $error = __("Invalid name: only lowercase letters are allowed."); } } -- 1.8.2.rc2.352.g908df73
Move all PKGBUILD field validations to a central location. Also, change $pkgbuild[] to $new_pkgbuild[] in order to parse evaluated PKGBUILD fields instead of raw ones. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/html/pkgsubmit.php | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 685d5cb..d9bb6bc 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -211,20 +211,6 @@ if ($uid): } } - # TODO This is where other additional error checking can be - # performed. Examples: #md5sums == #sources?, md5sums of any - # included files match?, install scriptlet file exists? - # - - # Check for http:// or other protocol in url - # - if (!$error) { - $parsed_url = parse_url($pkgbuild['url']); - if (!$parsed_url['scheme']) { - $error = __("Package URL is missing a protocol (ie. http:// ,ftp://)"); - } - } - # Now, run through the pkgbuild array, and do "eval" and simple substituions. if (!$error) { while (list($k, $v) = each($pkgbuild)) { @@ -288,6 +274,18 @@ if ($uid): } } + # Check for http:// or other protocol in url + if (!$error) { + $parsed_url = parse_url($new_pkgbuild['url']); + if (!$parsed_url['scheme']) { + $error = __("Package URL is missing a protocol (ie. http:// ,ftp://)"); + } + } + + # TODO: This is where other additional error checking can be + # performed. Examples: #md5sums == #sources?, md5sums of any + # included files match?, install scriptlet file exists? + # The DB schema imposes limitations on number of allowed characters # Print error message when these limitations are exceeded if (!$error) { -- 1.8.2.rc2.352.g908df73
participants (1)
-
Lukas Fleischer