Verify rev and rev_to params format in RepositoriesController. And turn revision arguments into integers in SubversionAdapter.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1324 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/repositories_controller.rb

@@ -19,8 +19,8 @@ require 'SVG/Graph/Bar'
 require 'SVG/Graph/BarHorizontal'
 require 'digest/sha1'
 
-class ChangesetNotFound < Exception
+class ChangesetNotFound < Exception; end
-end
+class InvalidRevisionParam < Exception; end
 
 class RepositoriesController < ApplicationController
   layout 'base'
@@ -135,7 +135,6 @@ class RepositoriesController < ApplicationController
   end
   
   def diff
-    @rev_to = params[:rev_to]
     @diff_type = params[:type] || User.current.pref[:diff_type] || 'inline'
     @diff_type = 'inline' unless %w(inline sbs).include?(@diff_type)
     
@@ -180,6 +179,8 @@ private
     render_404
   end
   
+  REV_PARAM_RE = %r{^[a-f0-9]*$}
+  
   def find_repository
     @project = Project.find(params[:id])
     @repository = @project.repository
@@ -187,8 +188,12 @@ private
     @path = params[:path].join('/') unless params[:path].nil?
     @path ||= ''
     @rev = params[:rev]
+    @rev_to = params[:rev_to]
+    raise InvalidRevisionParam unless @rev.to_s.match(REV_PARAM_RE) && @rev.to_s.match(REV_PARAM_RE)
   rescue ActiveRecord::RecordNotFound
     render_404
+  rescue InvalidRevisionParam
+    show_error_not_found
   end
 
   def show_error_not_found

lib/redmine/scm/adapters/subversion_adapter.rb

@@ -62,7 +62,7 @@ module Redmine
         # or nil if the given path doesn't exist in the repository
         def entries(path=nil, identifier=nil)
           path ||= ''
-          identifier = 'HEAD' unless identifier and identifier > 0
+          identifier = (identifier and identifier.to_i > 0) ? identifier.to_i : "HEAD"
           entries = Entries.new
           cmd = "#{SVN_BIN} list --xml #{target(path)}@#{identifier}"
           cmd << credentials_string
@@ -94,8 +94,8 @@ module Redmine
     
         def revisions(path=nil, identifier_from=nil, identifier_to=nil, options={})
           path ||= ''
-          identifier_from = 'HEAD' unless identifier_from and identifier_from.to_i > 0
+          identifier_from = (identifier_from and identifier_from.to_i > 0) ? identifier_from.to_i : "HEAD"
-          identifier_to = 1 unless identifier_to and identifier_to.to_i > 0
+          identifier_to = (identifier_to and identifier_to.to_i > 0) ? identifier_to.to_i : 1
           revisions = Revisions.new
           cmd = "#{SVN_BIN} log --xml -r #{identifier_from}:#{identifier_to}"
           cmd << credentials_string
@@ -131,11 +131,9 @@ module Redmine
         
         def diff(path, identifier_from, identifier_to=nil, type="inline")
           path ||= ''
-          if identifier_to and identifier_to.to_i > 0
+          identifier_from = (identifier_from and identifier_from.to_i > 0) ? identifier_from.to_i : ''
-            identifier_to = identifier_to.to_i 
+          identifier_to = (identifier_to and identifier_to.to_i > 0) ? identifier_to.to_i : (identifier_from.to_i - 1)
-          else
+          
-            identifier_to = identifier_from.to_i - 1
-          end
           cmd = "#{SVN_BIN} diff -r "
           cmd << "#{identifier_to}:"
           cmd << "#{identifier_from}"