From 7464f7709b72dc28e35135ddba214b2a9d8e870f Mon Sep 17 00:00:00 2001 From: Petr Baudis Date: Thu, 5 Nov 2009 02:56:08 +0100 Subject: [PATCH] Girocco::Project::cgi_fill(): Load and verify notify parameters --- Girocco/Project.pm | 18 ++++++++++++++++++ Girocco/Util.pm | 8 +++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/Girocco/Project.pm b/Girocco/Project.pm index 0d92314..8f0f8e8 100644 --- a/Girocco/Project.pm +++ b/Girocco/Project.pm @@ -345,6 +345,24 @@ sub cgi_fill { # FIXME: Permit only existing users $self->{users} = [grep { Girocco::User::valid_name($_) } $cgi->param('user')]; + $self->{notifymail} = $gcgi->wparam('notifymail'); + if ($self->{notifymail}) { + (valid_email_multi($self->{notifymail}) and length($self->{notifymail}) <= 512) + or $gcgi->err("Invalid notify e-mail address. Use mail,mail to specify multiple addresses; total length must not exceed 512 characters, however."); + } + + $self->{notifyjson} = $gcgi->wparam('notifyjson'); + if ($self->{notifyjson}) { + valid_web_url($self->{notifyjson}) + or $gcgi->err("Invalid JSON notify URL. Note that only HTTP protocol is supported. If the URL contains funny characters, contact me."); + } + + $self->{notifycia} = $gcgi->wparam('notifycia'); + if ($self->{notifycia}) { + $self->{notifycia} =~ /^[a-zA-Z0-9._-]+$/ + or $gcgi->err("Overly suspicious CIA notify project name. If it is actually valid, contact me."); + } + not $gcgi->err_check; } diff --git a/Girocco/Util.pm b/Girocco/Util.pm index 7040bf1..2aa47b9 100644 --- a/Girocco/Util.pm +++ b/Girocco/Util.pm @@ -10,7 +10,8 @@ BEGIN { our @EXPORT = qw(scrypt jailed_file lock_file unlock_file filedb_atomic_append filedb_atomic_edit - valid_email valid_repo_url valid_web_url); + valid_email valid_email_multi + valid_repo_url valid_web_url); } @@ -99,6 +100,11 @@ sub valid_email { $_ = $_[0]; /^[a-zA-Z0-9+._-]+@[a-zA-Z0-9-.]+$/; } +sub valid_email_multi { + $_ = $_[0]; + # More relaxed, we just want to avoid too dangerous characters. + /^[a-zA-Z0-9+._, @-]+$/; +} sub valid_web_url { $_ = $_[0]; /^http:\/\/[a-zA-Z0-9-.]+(\/[_\%a-zA-Z0-9.\/~-]*)?(#[a-zA-Z0-9._-]+)?$/; -- 2.11.4.GIT