Closed
Bug 104139
Opened 23 years ago
Closed 5 years ago
LXR doesn't properly escape file and directory names.
Categories
(Webtools Graveyard :: MXR, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: gleblanc, Assigned: gleblanc)
References
()
Details
Attachments
(4 files)
1.41 KB,
patch
|
Details | Diff | Splinter Review | |
534 bytes,
patch
|
Details | Diff | Splinter Review | |
719 bytes,
patch
|
Details | Diff | Splinter Review | |
749 bytes,
patch
|
Details | Diff | Splinter Review |
Using the stock LXR code on a CVS module named, for example ORBit-C++ fails. The source page displays " ** Fatal: /\s*ORBit-C++\s*-\s*-*\s*/: nested *?+ in regexp at Local.pm line 248, line 1. " It just seems to be using the raw path and filename (with / stripped from the front and end of the path, I'm not sure why that is), but it needs to be escaped. Here's a patch (thanks to Kiko and Dekar for writing the patch) that works on the new LXR I've set up for GNOME.
Assignee | ||
Comment 1•23 years ago
|
||
Assignee | ||
Comment 2•23 years ago
|
||
Comment 3•23 years ago
|
||
Comment on attachment 53004 [details] [diff] [review] Much shorter/nicer patch, since those variables aren't used elsewhere r=kiko if you add a comment to the region showing what the hell we are doing
Assignee | ||
Comment 4•23 years ago
|
||
Comment 5•23 years ago
|
||
Comment on attachment 53017 [details] [diff] [review] With comments! r=kiko thanks
Comment 6•23 years ago
|
||
+ $path =~ s/(\W)/\\\1/g; Why not: + $path =~ s/(\W)/$1/g; ? It's much easier to see what's going on. Also, do we need to escape all non-alphanumerics (\W)? Elsewhere in the code we have a canned regexp which only escapes meta-characters. This seems safer. Gerv
Summary: LXR doesn't properly escape file and directory names. → LXR doesn't properly escape file and directory names.
Comment 7•23 years ago
|
||
Said regexp is: $foo =~ s/([\[\$\\({}).+?\/])/\\$1/g; Gerv
Assignee | ||
Comment 8•23 years ago
|
||
Assignee | ||
Comment 9•23 years ago
|
||
OK, so the method in the latest patch seems to miss "-" (bug 38060), and "|" (bug 99680, which may include other characters, I didn't look too closely). We need to get at least those two picked up by this regular expression. Gerv, could you elaborate on why "s/(\W)/$1/g" isn't a good solution (simpler form of the original regular expression). I can't quite get a handle on the security concerns here, and it seems that escaping all non-alphanumeric characters will ensure that we don't see this sort of a bug arrise again.
Comment 10•23 years ago
|
||
Are you certain that there is no character X, where X is non-alphanumeric, where \X does not mean something special? I don't know why you need to escape "-" - this is not a special regexp character. My canned regexp doesn't escape |, * and ^ because they aren't legal filename characters in the first place. You are escaping filenames, right? Gerv
Comment 11•23 years ago
|
||
ok, nm the [-<|>] stuff, packages-win must be very special magic. we do need to escape all of those for /search?
Assignee: endico → gleblanc
Updated•18 years ago
|
QA Contact: timeless → lxr
Comment 12•5 years ago
|
||
mxr is gone, mass closing.
https://searchfox.org/ is a much better alternative.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Updated•4 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•