[Sandweb-commit] CVS: sandweb/lib/SandWeb/Repository cvs.pm,1.41,1.42

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/sandweb/sandweb/lib/SandWeb/Repository
In directory sc8-pr-cvs1:/tmp/cvs-serv2778/lib/SandWeb/Repository

Modified Files:
	cvs.pm 
Log Message:
fixed security problem, only way around it apparently is to not allow " :(


Index: cvs.pm
===================================================================
RCS file: /cvsroot/sandweb/sandweb/lib/SandWeb/Repository/cvs.pm,v
retrieving revision 1.41
retrieving revision 1.42
diff -U2 -r1.41 -r1.42

--- cvs.pm	10 Feb 2003 07:15:23 -0000	1.41
+++ cvs.pm	11 Feb 2003 06:37:24 -0000	1.42
@@ -2108,5 +2108,5 @@
 	if ($force) { push @param, " -f" };
 	if ($check) { push @param, " -c" };
-	if ($name) { push @param, " $name" };
+	if ($name) { push @param, " \\\"$name\\\"" };
 
 	$log->debug("Performing tag operation");
@@ -2284,5 +2284,12 @@
 	my $clobber = $params{'clobber'};
 	my $directories = $params{'directories'};
-	my $rev = $params{'rev'};
+	my $unsafe_rev = $params{'rev'};
+
+	# Security check 
+	my $secure = SandWeb::Security->new();
+	my $rev = $secure->shell(
+		characters => "$unsafe_rev"
+	);
+
 	my $date = $params{'date'};
 	my $merge = $params{'merge'};
@@ -2296,5 +2303,5 @@
 	if ($clobber) { push @param, " -C" };
 	if ($directories) { push @param, " -d" };
-	if ($rev) { push @param, " -r$rev" };
+	if ($rev) { push @param, " -r \\\"$rev\\\"" };
 	if ($date) { push @param, " -D" };
 	if ($merge) { push @param, " -j" };



