mirror of
https://codeberg.org/git-pages/git-pages.git
synced 2026-06-10 13:30:49 +00:00
[security] Forbid backslashes from occurring in project names.
This addresses an authorization bypass (which could occur only on Windows). A more principled way to do this would be to use `os.Root.OpenRoot` and scope the actual filesystem operations per-domain. However, I prototyped this and it was complicated enough that it wasn't clear whether this would not introduce new issues. V12-Ref: F-77209
This commit is contained in:
+1
-1
@@ -83,7 +83,7 @@ func ValidateProjectName(name string) error {
|
||||
return fmt.Errorf("must not start with %q", ".")
|
||||
}
|
||||
|
||||
forbiddenChars := "%*"
|
||||
forbiddenChars := "%*\\"
|
||||
if strings.ContainsAny(name, forbiddenChars) {
|
||||
return fmt.Errorf("must not contain any of %q", forbiddenChars)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user