importfeed: Fix reversion that caused some '.' in filenames to be replaced with '_'

sanitizeFilePath was changed to sanitize leading '.', but ImportFeed was
running it on parts of the template. So eg the leading '.' in the extension
got sanitized.

Note the added case for sanitizeLeadingFilePathCharacter ('/':_)
-- this was added because, if the template is title/episode and the title
is not set, it would expand to "/episode". So this is another potential
security fix.
This commit is contained in:
Joey Hess 2020-08-05 11:35:00 -04:00
parent b4db85c265
commit 283d2f85d1
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
4 changed files with 29 additions and 16 deletions

View file

@ -31,17 +31,26 @@ import System.FilePath
- that case.
-}
sanitizeFilePath :: String -> FilePath
sanitizeFilePath [] = "file"
sanitizeFilePath f = leading (map sanitize f)
sanitizeFilePath = sanitizeLeadingFilePathCharacter . sanitizeFilePathComponent
{- For when the filepath is being built up out of components that should be
- individually sanitized, this can be used for each component, followed by
- sanitizeLeadingFilePathCharacter for the whole thing.
-}
sanitizeFilePathComponent :: String -> String
sanitizeFilePathComponent = map sanitize
where
sanitize c
| c == '.' || c == '-' = c
| isSpace c || isPunctuation c || isSymbol c || isControl c || c == '/' = '_'
| otherwise = c
leading ('.':s) = '_':s
leading ('-':s) = '_':s
leading s = s
sanitizeLeadingFilePathCharacter :: String -> FilePath
sanitizeLeadingFilePathCharacter [] = "file"
sanitizeLeadingFilePathCharacter ('.':s) = '_':s
sanitizeLeadingFilePathCharacter ('-':s) = '_':s
sanitizeLeadingFilePathCharacter ('/':s) = '_':s
sanitizeLeadingFilePathCharacter s = s
escapeSequenceInFilePath :: FilePath -> Bool
escapeSequenceInFilePath f = '\ESC' `elem` f

View file

@ -18,6 +18,8 @@ git-annex (8.20200720.2) UNRELEASED; urgency=medium
standalone and OSX app.
Thanks, Yaroslav Halchenko
* Slightly sped up the linux standalone bundle.
* importfeed: Fix reversion that caused some '.' in filenames to be
replaced with '_'
-- Joey Hess <id@joeyh.name> Tue, 21 Jul 2020 12:58:30 -0400

View file

@ -338,17 +338,18 @@ defaultTemplate = "${feedtitle}/${itemtitle}${extension}"
{- Generates a filename to use for a feed item by filling out the template.
- The filename may not be unique. -}
feedFile :: Utility.Format.Format -> ToDownload -> String -> FilePath
feedFile tmpl i extension = Utility.Format.format tmpl $
M.map sanitizeFilePath $ M.fromList $ extractFields i ++
[ ("extension", extension)
, extractField "itempubdate" [itempubdate]
, extractField "itempubyear" [itempubyear]
, extractField "itempubmonth" [itempubmonth]
, extractField "itempubday" [itempubday]
, extractField "itempubhour" [itempubhour]
, extractField "itempubminute" [itempubminute]
, extractField "itempubsecond" [itempubsecond]
]
feedFile tmpl i extension = sanitizeLeadingFilePathCharacter $
Utility.Format.format tmpl $
M.map sanitizeFilePathComponent $ M.fromList $ extractFields i ++
[ ("extension", extension)
, extractField "itempubdate" [itempubdate]
, extractField "itempubyear" [itempubyear]
, extractField "itempubmonth" [itempubmonth]
, extractField "itempubday" [itempubday]
, extractField "itempubhour" [itempubhour]
, extractField "itempubminute" [itempubminute]
, extractField "itempubsecond" [itempubsecond]
]
where
itm = item i

View file

@ -28,3 +28,4 @@ git annex version 8.20200720.1-g1ccb6699a1
> [[fixed|done]] --[[Joey]]