| Message ID | 20210808082825.16762-2-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/2] report: fail if the report does not exists | expand |
| Context | Check | Description |
|---|---|---|
| andriy/configure | warning | Failed to apply patch |
On 8/8/2021 9:28 AM, Michael Niedermayer wrote: > +$req_slot =~ s/[^-._A-Za-z0-9 ]*//g; I don't think it is wise to allow periods here, considering we use string ops to append it to a dir name just below. .. and we probably should not be using string ops to construct directory names. > +$req_time =~ s/[^0-9]*//g; We should validate this is an actual time, probably. - Derek
On Sun, Aug 08, 2021 at 01:00:30PM +0100, Derek Buitenhuis wrote: > On 8/8/2021 9:28 AM, Michael Niedermayer wrote: > > +$req_slot =~ s/[^-._A-Za-z0-9 ]*//g; > > I don't think it is wise to allow periods here, considering > we use string ops to append it to a dir name just below. Periods are used for example: report.cgi?slot=x86_32-debian-kfreebsd-gcc-4.4-cpuflags-0-n2.8&time=20170321202837 > > .. and we probably should not be using string ops to construct > directory names. > > > +$req_time =~ s/[^0-9]*//g; > > We should validate this is an actual time, probably. sure, but i will leave this to nicolas because he actually knows perl compared to me thx [...]
diff --git a/report.cgi b/report.cgi index 43ea134..5c457ac 100755 --- a/report.cgi +++ b/report.cgi @@ -25,6 +25,8 @@ use FATE; my $req_slot = param 'slot'; my $req_time = param 'time'; +$req_slot =~ s/[^-._A-Za-z0-9 ]*//g; +$req_time =~ s/[^0-9]*//g; my $slotdir = "$fatedir/$req_slot"; my $repdir = "$slotdir/$req_time";
based on a39e4d1bee74647f534589b09eaf15246359d6b6 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- report.cgi | 2 ++ 1 file changed, 2 insertions(+)