Verify rev and rev_to params format in RepositoriesController. And turn revision arguments into integers in SubversionAdapter.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1324 e93f8b46-1217-0410-a6f0-8f06a7374b81
2008-04-03 16:50:53 +00:00 · 2008-04-03 16:50:53 +00:00 · 14a2b7e9b5
parent f6ce427a00
commit 14a2b7e9b5
2 changed files with 14 additions and 11 deletions
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@ -19,8 +19,8 @@ require 'SVG/Graph/Bar'
 require 'SVG/Graph/BarHorizontal'
 require 'digest/sha1'

-class ChangesetNotFound < Exception
-end
+class ChangesetNotFound < Exception; end
+class InvalidRevisionParam < Exception; end

 class RepositoriesController < ApplicationController
  layout 'base'
@ -135,7 +135,6 @@ class RepositoriesController < ApplicationController
  end
  
  def diff
-    @rev_to = params[:rev_to]
    @diff_type = params[:type] || User.current.pref[:diff_type] || 'inline'
    @diff_type = 'inline' unless %w(inline sbs).include?(@diff_type)
    
@ -180,6 +179,8 @@ private
    render_404
  end
  
+  REV_PARAM_RE = %r{^[a-f0-9]*$}
+  
  def find_repository
    @project = Project.find(params[:id])
    @repository = @project.repository
@ -187,8 +188,12 @@ private
    @path = params[:path].join('/') unless params[:path].nil?
    @path ||= ''
    @rev = params[:rev]
+    @rev_to = params[:rev_to]
+    raise InvalidRevisionParam unless @rev.to_s.match(REV_PARAM_RE) && @rev.to_s.match(REV_PARAM_RE)
  rescue ActiveRecord::RecordNotFound
    render_404
+  rescue InvalidRevisionParam
+    show_error_not_found
  end

  def show_error_not_found
--- a/lib/redmine/scm/adapters/subversion_adapter.rb
+++ b/lib/redmine/scm/adapters/subversion_adapter.rb
@ -62,7 +62,7 @@ module Redmine
        # or nil if the given path doesn't exist in the repository
        def entries(path=nil, identifier=nil)
          path ||= ''
-          identifier = 'HEAD' unless identifier and identifier > 0
+          identifier = (identifier and identifier.to_i > 0) ? identifier.to_i : "HEAD"
          entries = Entries.new
          cmd = "#{SVN_BIN} list --xml #{target(path)}@#{identifier}"
          cmd << credentials_string
@ -94,8 +94,8 @@ module Redmine
    
        def revisions(path=nil, identifier_from=nil, identifier_to=nil, options={})
          path ||= ''
-          identifier_from = 'HEAD' unless identifier_from and identifier_from.to_i > 0
-          identifier_to = 1 unless identifier_to and identifier_to.to_i > 0
+          identifier_from = (identifier_from and identifier_from.to_i > 0) ? identifier_from.to_i : "HEAD"
+          identifier_to = (identifier_to and identifier_to.to_i > 0) ? identifier_to.to_i : 1
          revisions = Revisions.new
          cmd = "#{SVN_BIN} log --xml -r #{identifier_from}:#{identifier_to}"
          cmd << credentials_string
@ -131,11 +131,9 @@ module Redmine
        
        def diff(path, identifier_from, identifier_to=nil, type="inline")
          path ||= ''
-          if identifier_to and identifier_to.to_i > 0
-            identifier_to = identifier_to.to_i 
-          else
-            identifier_to = identifier_from.to_i - 1
-          end
+          identifier_from = (identifier_from and identifier_from.to_i > 0) ? identifier_from.to_i : ''
+          identifier_to = (identifier_to and identifier_to.to_i > 0) ? identifier_to.to_i : (identifier_from.to_i - 1)
+          
          cmd = "#{SVN_BIN} diff -r "
          cmd << "#{identifier_to}:"
          cmd << "#{identifier_from}"