From 36612e4daf8b5b5eaf16315aa13c66925f878cd6 Mon Sep 17 00:00:00 2001 From: Jakub Narebski Date: Tue, 28 Feb 2012 19:41:47 +0100 Subject: [PATCH] gitweb: Handle invalid regexp in regexp search When using regexp search ('sr' parameter / $search_use_regexp variable is true), check first that regexp is valid. Without this patch we would get an error from Perl during search (if searching is performed by gitweb), or highlighting matches substring (if applicable), if user provided invalid regexp... which means broken HTML, with error page (including HTTP headers) generated after gitweb already produced some output. Add test that illustrates such error: for example for regexp "*\.git" we would get the following error: Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE \.git/ at /var/www/cgi-bin/gitweb.cgi line 3084. Reported-by: Ramsay Jones Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano --- gitweb/gitweb.perl | 11 ++++++++++- t/t9501-gitweb-standalone-http-status.sh | 10 ++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 50a835a5b..7b9369811 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -1054,7 +1054,16 @@ sub evaluate_and_validate_params { if (length($searchtext) < 2) { die_error(403, "At least two characters are required for search parameter"); } - $search_regexp = $search_use_regexp ? $searchtext : quotemeta $searchtext; + if ($search_use_regexp) { + $search_regexp = $searchtext; + if (!eval { qr/$search_regexp/; 1; }) { + (my $error = $@) =~ s/ at \S+ line \d+.*\n?//; + die_error(400, "Invalid search regexp '$search_regexp'", + esc_html($error)); + } + } else { + $search_regexp = quotemeta $searchtext; + } } } diff --git a/t/t9501-gitweb-standalone-http-status.sh b/t/t9501-gitweb-standalone-http-status.sh index 26102ee9b..31076edc5 100755 --- a/t/t9501-gitweb-standalone-http-status.sh +++ b/t/t9501-gitweb-standalone-http-status.sh @@ -134,4 +134,14 @@ our $maxload = undef; EOF +# ---------------------------------------------------------------------- +# invalid arguments + +test_expect_success 'invalid arguments: invalid regexp (in project search)' ' + gitweb_run "a=project_list;s=*\.git;sr=1" && + grep "Status: 400" gitweb.headers && + grep "400 - Invalid.*regexp" gitweb.body +' +test_debug 'cat gitweb.headers' + test_done -- 2.26.2