diff options
| author | Joey Hess <joey@gnu.kitenet.net> | 2009-05-18 15:25:10 -0400 |
|---|---|---|
| committer | Joey Hess <joey@gnu.kitenet.net> | 2009-05-18 15:25:10 -0400 |
| commit | 23a4ee6d15dbd9b8e8c6588a829dd30a26a8de32 (patch) | |
| tree | 5d7d76ba25bd6331e1f2940c481477ecb4de9d12 /IkiWiki.pm | |
| parent | 0516ba04d014628be983dbd3e4c28a8f52a2c3e7 (diff) | |
Allow curly braces to be used in pagespecs
And avoid a whole class of potential security problems (though
none that I know of actually existing..), by avoiding
performing any string interpolation on user-supplied data when translating
pagespecs.
Diffstat (limited to 'IkiWiki.pm')
| -rw-r--r-- | IkiWiki.pm | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm index 6233d2ead..061a1c6db 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -1678,12 +1678,6 @@ sub rcs_receive () { $hooks{rcs}{rcs_receive}{call}->(); } -sub safequote ($) { - my $s=shift; - $s=~s/[{}]//g; - return "q{$s}"; -} - sub add_depends ($$) { my $page=shift; my $pagespec=shift; @@ -1785,6 +1779,7 @@ sub pagespec_translate ($) { # Convert spec to perl code. my $code=""; + my @data; while ($spec=~m{ \s* # ignore whitespace ( # 1: match a single word @@ -1812,14 +1807,17 @@ sub pagespec_translate ($) { } elsif ($word =~ /^(\w+)\((.*)\)$/) { if (exists $IkiWiki::PageSpec::{"match_$1"}) { - $code.="IkiWiki::PageSpec::match_$1(\$page, ".safequote($2).", \@_)"; + push @data, $2; + $code.="IkiWiki::PageSpec::match_$1(\$page, \$data[$#data], \@_)"; } else { - $code.="IkiWiki::ErrorReason->new(".safequote(qq{unknown function in pagespec "$word"}).")"; + push @data, qq{unknown function in pagespec "$word"}; + $code.="IkiWiki::ErrorReason->new(\$data[$#data])"; } } else { - $code.=" IkiWiki::PageSpec::match_glob(\$page, ".safequote($word).", \@_)"; + push @data, $word; + $code.=" IkiWiki::PageSpec::match_glob(\$page, \$data[$#data], \@_)"; } } |