Sanitize merge base name in pkgreq_file()

Move the check introduced in 06b7099 (Validate package base name when filing requests, 2014-07-02) from pkgbase.php to pkgreq_file(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 10:43:03 +01:00 · 2014-07-03 10:32:31 +02:00 · 2014-07-03 10:32:31 +02:00 · b113764b0b
commit b113764b0b
parent 87215cef00
2 changed files with 5 additions and 6 deletions
--- a/web/html/pkgbase.php
+++ b/web/html/pkgbase.php
@ -98,12 +98,7 @@ if (check_token()) {
 	} elseif (current_action("do_ChangeCategory")) {
 		list($ret, $output) = pkgbase_change_category($base_id, $atype);
 	} elseif (current_action("do_FileRequest")) {
 		if (empty($_POST['merge_into']) || preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $_POST['merge_into'])) {
 		list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']);
 		} else {
 			$output = __("Invalid name: only lowercase letters are allowed.");
 			$ret = false;
 		}
 	} elseif (current_action("do_CloseRequest")) {
 		list($ret, $output) = pkgreq_close($_POST['reqid'], $_POST['reason'], $_POST['comments']);
 	}
--- a/web/lib/pkgreqfuncs.inc.php
+++ b/web/lib/pkgreqfuncs.inc.php
@ -72,6 +72,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) {
 	global $AUR_LOCATION;
 	global $AUR_REQUEST_ML;
 	if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) {
 		return array(false, __("Invalid name: only lowercase letters are allowed."));
 	}
 	if (empty($comments)) {
 		return array(false, __("The comment field must not be empty."));
 	}