mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

filter out control characters in error messages

Browse source 
giveup changed to filter out control characters. (It is too low level to
make it use StringContainingQuotedPath.)

error still does not, but it should only be used for internal errors,
where the message is not attacker-controlled.

Changed a lot of existing error to giveup when it is not strictly an
internal error.

Of course, other exceptions can still be thrown, either by code in
git-annex, or a library, that include some attacker-controlled value.
This does not guard against those.

Sponsored-by: Noam Kremen on Patreon
This commit is contained in:
Joey Hess 2023-04-10 13:38:14 -04:00
parent 063c00e4f7
commit cd544e548b
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
69 changed files with 142 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Assistant/Upgrade.hs
View file

@ -205,7 +205,7 @@ upgradeToDistribution newdir cleanup distributionfile = do
, Param "--directory", File tmpdir
]
unless tarok $
error $ "failed to untar " ++ distributionfile
giveup $ "failed to untar " ++ distributionfile
sanitycheck $ tmpdir </> installBase
installby R.rename newdir (tmpdir </> installBase)
let deleteold = do
@ -218,7 +218,7 @@ upgradeToDistribution newdir cleanup distributionfile = do
#endif
sanitycheck dir =
unlessM (doesDirectoryExist dir) $
error $ "did not find " ++ dir ++ " in " ++ distributionfile
giveup $ "did not find " ++ dir ++ " in " ++ distributionfile
makeorigsymlink olddir = do
let origdir = fromRawFilePath (parentDir (toRawFilePath olddir)) </> installBase
removeWhenExistsWith R.removeLink (toRawFilePath origdir)
@ -227,7 +227,7 @@ upgradeToDistribution newdir cleanup distributionfile = do
{- Finds where the old version was installed. -}
oldVersionLocation :: IO FilePath
oldVersionLocation = readProgramFile >>= \case
Nothing -> error "Cannot find old distribution bundle; not upgrading."
Nothing -> giveup "Cannot find old distribution bundle; not upgrading."
Just pf -> do
let pdir = fromRawFilePath $ parentDir $ toRawFilePath pf
#ifdef darwin_HOST_OS
@ -240,7 +240,7 @@ oldVersionLocation = readProgramFile >>= \case
let olddir = pdir
#endif
when (null olddir) $
error $ "Cannot find old distribution bundle; not upgrading. (Looked in " ++ pdir ++ ")"
giveup $ "Cannot find old distribution bundle; not upgrading. (Looked in " ++ pdir ++ ")"
return olddir
{- Finds a place to install the new version.