Commit Diff

Commit:
f03e50d6fa7d457cde6feabb23a528f11bb45461
From:
Omar Polo <op@omarpolo.com>
Via:
Thomas Adam <thomas@xteddy.org>
Date:
Message:
gotwebd: guard against missig folder and file parameter in BLOB and BLAME ok stsp
Actions:
Patch | Tree
commit - 99e30d93bfe048c40e277fed11e065fdb420d51f
commit + f03e50d6fa7d457cde6feabb23a528f11bb45461
blob - b439db1b5f1d1a2a2b6127cd2fdcaf12f7bfd10b
blob + 169c3b1748004171e8a647860aeeb51664cae1cb
--- gotwebd/got_operations.c
+++ gotwebd/got_operations.c
@@ -1005,8 +1005,7 @@ got_output_file_blame(struct request *c, got_render_bl
 	bca.lines = NULL;
 	bca.cb = cb;
 
-	if (asprintf(&path, "%s%s%s", qs->folder ? qs->folder : "",
-	    qs->folder ? "/" : "", qs->file) == -1) {
+	if (asprintf(&path, "%s/%s", qs->folder, qs->file) == -1) {
 		error = got_error_from_errno("asprintf");
 		goto done;
 	}
blob - 47ed16a48254887578b69ac0f2248761f6ac5250
blob + fd378dc836f230c67317529622ddf1ccf56818e1
--- gotwebd/gotweb.c
+++ gotwebd/gotweb.c
@@ -205,6 +205,11 @@ gotweb_process_request(struct request *c)
 	}
 
 	if (qs->action == BLOBRAW || qs->action == BLOB) {
+		if (qs->folder == NULL || qs->file == NULL) {
+			error = got_error(GOT_ERR_BAD_QUERYSTRING);
+			goto err;
+		}
+
 		error = got_get_repo_commits(c, 1);
 		if (error)
 			goto err;
@@ -217,6 +222,10 @@ gotweb_process_request(struct request *c)
 
 	switch (qs->action) {
 	case BLAME:
+		if (qs->folder == NULL || qs->file == NULL) {
+			error = got_error(GOT_ERR_BAD_QUERYSTRING);
+			goto err;
+		}
 		error = got_get_repo_commits(c, 1);
 		if (error) {
 			log_warnx("%s: %s", __func__, error->msg);