prohibit directory indicators in "git:....?path=" as a package source

Closes #1027
2015-09-11 15:03:10 -06:00 · 2015-09-11 15:03:10 -06:00 · 696c9d972f
commit 696c9d972f
parent dcfb9cb972
2 changed files with 9 additions and 0 deletions
--- a/pkgs/racket-test/tests/pkg/tests-name.rkt
+++ b/pkgs/racket-test/tests/pkg/tests-name.rkt
@ -115,6 +115,7 @@
  (check-equal-values? (parse "git://github.com/../fish" #f #rx"indicator") (values #f 'github #f))
  (check-equal-values? (parse "git://github.com/racket/fish" 'clone) (values "fish" 'clone #t))
  (check-equal-values? (parse "racket/fish" 'github) (values "fish" 'github #t))
+  (check-equal-values? (parse "git://github.com/racket/fish/?path=../bill" #f #rx"indicator") (values #f 'github #f))

  (check-equal-values? (parse "git://not-github.com/racket/fish" #f #f) (values "fish" 'git #t))
  (check-equal-values? (parse "git://not-github.com/fish" #f #f) (values "fish" 'git #t))
@ -129,6 +130,7 @@
  (check-equal-values? (parse "git://not-github.com/.././" #f #rx"indicator") (values #f 'git #f))
  (check-equal-values? (parse "git://not-github.com/racket/fish" 'clone #f) (values "fish" 'clone #t))
  (check-equal-values? (parse "git://not-github.com/.././" 'clone #rx"indicator") (values #f 'clone #f))
+  (check-equal-values? (parse "git://not-github.com/fish/?path=../bill" #f #rx"indicator") (values #f 'git #f))

  (check-equal-values? (parse "http://racket-lang.org/racket/fish" 'git #f) (values "fish" 'git #t))
  (check-equal-values? (parse "https://racket-lang.org/racket/fish" 'git #f) (values "fish" 'git #t))
--- a/racket/collects/pkg/name.rkt
+++ b/racket/collects/pkg/name.rkt
@ -196,6 +196,13 @@
                                        (complain "URL path ends with a directory indicator"))
                                   (cor ((num-empty p) . < . 2)
                                        (complain "URL path ends with two empty elements"))))
+                              (let ([a (assoc 'path (url-query url))])
+                                (or (not a)
+                                    (not (cdr a))
+                                    (cor (for/and ([e (in-list (string-split (cdr a) "/"))])
+                                           (not (or (equal? e ".")
+                                                    (equal? e ".."))))
+                                         (complain "path query includes a directory indicator"))))
                              (extract-git-name url p complain-name))
                         ;; github://
                         (let ([p (if (equal? "" (path/param-path (last p)))