use safeOutput when quoting UnquotedString
UnquotedString does not need to be quoted, but still it's possible it contains something attacker-controlled, which could have an escape sequence or control character in it. This is a convenient place to filter out such things, since quoting alrready handles those in filenames. Sponsored-by: Luke Shumaker on Patreon
This commit is contained in:
parent
cd544e548b
commit
007e302637
1 changed files with 11 additions and 1 deletions
|
@ -11,6 +11,7 @@
|
||||||
module Git.Filename (
|
module Git.Filename (
|
||||||
unquote,
|
unquote,
|
||||||
quote,
|
quote,
|
||||||
|
noquote,
|
||||||
QuotePath(..),
|
QuotePath(..),
|
||||||
StringContainingQuotedPath(..),
|
StringContainingQuotedPath(..),
|
||||||
quotedPaths,
|
quotedPaths,
|
||||||
|
@ -20,6 +21,7 @@ module Git.Filename (
|
||||||
import Common
|
import Common
|
||||||
import Utility.Format (decode_c, encode_c, encode_c', isUtf8Byte)
|
import Utility.Format (decode_c, encode_c, encode_c', isUtf8Byte)
|
||||||
import Utility.QuickCheck
|
import Utility.QuickCheck
|
||||||
|
import Utility.SafeOutput
|
||||||
|
|
||||||
import Data.Char
|
import Data.Char
|
||||||
import Data.Word
|
import Data.Word
|
||||||
|
@ -55,6 +57,8 @@ class Quoteable t where
|
||||||
-- double quotes and encodes when git would
|
-- double quotes and encodes when git would
|
||||||
quote :: QuotePath -> t -> S.ByteString
|
quote :: QuotePath -> t -> S.ByteString
|
||||||
|
|
||||||
|
noquote :: t -> S.ByteString
|
||||||
|
|
||||||
instance Quoteable RawFilePath where
|
instance Quoteable RawFilePath where
|
||||||
quote (QuotePath qp) s = case encode_c' needencode s of
|
quote (QuotePath qp) s = case encode_c' needencode s of
|
||||||
Nothing -> s
|
Nothing -> s
|
||||||
|
@ -65,6 +69,8 @@ instance Quoteable RawFilePath where
|
||||||
| qp = isUtf8Byte c
|
| qp = isUtf8Byte c
|
||||||
| otherwise = False
|
| otherwise = False
|
||||||
|
|
||||||
|
noquote = id
|
||||||
|
|
||||||
-- Allows building up a string that contains paths, which will get quoted.
|
-- Allows building up a string that contains paths, which will get quoted.
|
||||||
-- With OverloadedStrings, strings are passed through without quoting.
|
-- With OverloadedStrings, strings are passed through without quoting.
|
||||||
-- Eg: QuotedPath f <> ": not found"
|
-- Eg: QuotedPath f <> ": not found"
|
||||||
|
@ -81,10 +87,14 @@ quotedPaths (p:ps) = QuotedPath p <> if null ps
|
||||||
else " " <> quotedPaths ps
|
else " " <> quotedPaths ps
|
||||||
|
|
||||||
instance Quoteable StringContainingQuotedPath where
|
instance Quoteable StringContainingQuotedPath where
|
||||||
quote _ (UnquotedString s) = encodeBS s
|
quote _ (UnquotedString s) = safeOutput (encodeBS s)
|
||||||
quote qp (QuotedPath p) = quote qp p
|
quote qp (QuotedPath p) = quote qp p
|
||||||
quote qp (a :+: b) = quote qp a <> quote qp b
|
quote qp (a :+: b) = quote qp a <> quote qp b
|
||||||
|
|
||||||
|
noquote (UnquotedString s) = encodeBS s
|
||||||
|
noquote (QuotedPath p) = p
|
||||||
|
noquote (a :+: b) = noquote a <> noquote b
|
||||||
|
|
||||||
instance IsString StringContainingQuotedPath where
|
instance IsString StringContainingQuotedPath where
|
||||||
fromString = UnquotedString
|
fromString = UnquotedString
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue