[aur-dev] [PATCH 2/4] Validate package base name when filing requests

[Lukas Fleischer]

Make sure that the package base to merge into does not contain any
invalid characters.

Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
 web/html/pkgbase.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php
index adc6118..c246b6f 100644
--- a/web/html/pkgbase.php
+++ b/web/html/pkgbase.php
@@ -97,7 +97,12 @@ if (check_token()) {
 	} elseif (current_action("do_ChangeCategory")) {
 		list($ret, $output) = pkgbase_change_category($base_id, $atype);
 	} elseif (current_action("do_FileRequest")) {
-		list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']);
+		if (empty($_POST['merge_into']) || preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $_POST['merge_into'])) {
+			list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']);
+		} else {
+			$output = __("Invalid name: only lowercase letters are allowed.");
+			$ret = false;
+		}
 	} elseif (current_action("do_CloseRequest")) {
 		list($ret, $output) = pkgreq_close($_POST['reqid'], false);
 	}
-- 
2.0.1