Skip to content

Commit

Permalink
gitweb: Handle invalid regexp in regexp search
Browse files Browse the repository at this point in the history
When using regexp search ('sr' parameter / $search_use_regexp variable
is true), check first that regexp is valid.

Without this patch we would get an error from Perl during search (if
searching is performed by gitweb), or highlighting matches substring
(if applicable), if user provided invalid regexp... which means broken
HTML, with error page (including HTTP headers) generated after gitweb
already produced some output.

Add test that illustrates such error: for example for regexp "*\.git"
we would get the following error:

  Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE \.git/
  at /var/www/cgi-bin/gitweb.cgi line 3084.

Reported-by: Ramsay Jones <ramsay@ramsay1.demon.co.uk>
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
Jakub Narebski authored and Junio C Hamano committed Feb 28, 2012
1 parent f174a25 commit 36612e4
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 1 deletion.
11 changes: 10 additions & 1 deletion gitweb/gitweb.perl
Original file line number Diff line number Diff line change
Expand Up @@ -1054,7 +1054,16 @@ sub evaluate_and_validate_params {
if (length($searchtext) < 2) {
die_error(403, "At least two characters are required for search parameter");
}
$search_regexp = $search_use_regexp ? $searchtext : quotemeta $searchtext;
if ($search_use_regexp) {
$search_regexp = $searchtext;
if (!eval { qr/$search_regexp/; 1; }) {
(my $error = $@) =~ s/ at \S+ line \d+.*\n?//;
die_error(400, "Invalid search regexp '$search_regexp'",
esc_html($error));
}
} else {
$search_regexp = quotemeta $searchtext;
}
}
}

Expand Down
10 changes: 10 additions & 0 deletions t/t9501-gitweb-standalone-http-status.sh
Original file line number Diff line number Diff line change
Expand Up @@ -134,4 +134,14 @@ our $maxload = undef;
EOF


# ----------------------------------------------------------------------
# invalid arguments

test_expect_success 'invalid arguments: invalid regexp (in project search)' '
gitweb_run "a=project_list;s=*\.git;sr=1" &&
grep "Status: 400" gitweb.headers &&
grep "400 - Invalid.*regexp" gitweb.body
'
test_debug 'cat gitweb.headers'

test_done

0 comments on commit 36612e4

Please sign in to comment.