Fix unescaped user input in tree/blob filenames
Fix unescaped user input in tree/blob filenames

{* {*
* blame.tpl * blame.tpl
* gitphp: A PHP git repository browser * gitphp: A PHP git repository browser
* Component: Blame view template * Component: Blame view template
* *
* Copyright (C) 2010 Christopher Han <xiphux@gmail.com> * Copyright (C) 2010 Christopher Han <xiphux@gmail.com>
*} *}
{extends file='projectbase.tpl'} {extends file='projectbase.tpl'}
   
{block name=css} {block name=css}
{if $geshicss} {if $geshicss}
<style type="text/css"> <style type="text/css">
{$geshicss} {$geshicss}
</style> </style>
{/if} {/if}
{/block} {/block}
   
{block name=main} {block name=main}
   
<div class="page_nav"> <div class="page_nav">
{include file='nav.tpl' treecommit=$commit} {include file='nav.tpl' treecommit=$commit}
<br /> <br />
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()}">{t}plain{/t}</a> | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}">{t}plain{/t}</a> |
{if $commit->GetHash() != $head->GetHash()} {if $commit->GetHash() != $head->GetHash()}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blame&amp;hb=HEAD&amp;f={$blob->GetPath()}">{t}HEAD{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blame&amp;hb=HEAD&amp;f={$blob->GetPath()|escape:'url'}">{t}HEAD{/t}</a>
{else} {else}
{t}HEAD{/t} {t}HEAD{/t}
{/if} {/if}
| blame | blame
<br /> <br />
</div> </div>
   
{include file='title.tpl' titlecommit=$commit} {include file='title.tpl' titlecommit=$commit}
   
{include file='path.tpl' pathobject=$blob target='blob'} {include file='path.tpl' pathobject=$blob target='blob'}
<div class="page_body"> <div class="page_body">
{if $geshi} {if $geshi}
{$geshihead} {$geshihead}
<td class="ln de1" id="blameData"> <td class="ln de1" id="blameData">
{include file='blamedata.tpl'} {include file='blamedata.tpl'}
</td> </td>
{$geshibody} {$geshibody}
{$geshifoot} {$geshifoot}
{else} {else}
<table class="code"> <table class="code">
{foreach from=$blob->GetData(true) item=blobline name=blob} {foreach from=$blob->GetData(true) item=blobline name=blob}
{assign var=blamecommit value=$blame[$smarty.foreach.blob.iteration]} {assign var=blamecommit value=$blame[$smarty.foreach.blob.iteration]}
{if $blamecommit} {if $blamecommit}
{cycle values="light,dark" assign=rowclass} {cycle values="light,dark" assign=rowclass}
{/if} {/if}
<tr class="{$rowclass}"> <tr class="{$rowclass}">
<td class="date"> <td class="date">
{if $blamecommit} {if $blamecommit}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=commit&amp;h={$blamecommit->GetHash()}" title="{$blamecommit->GetTitle()}" class="commitTip">{$blamecommit->GetAuthorEpoch()|date_format:"%Y-%m-%d %H:%M:%S"}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=commit&amp;h={$blamecommit->GetHash()}" title="{$blamecommit->GetTitle()}" class="commitTip">{$blamecommit->GetAuthorEpoch()|date_format:"%Y-%m-%d %H:%M:%S"}</a>
{/if} {/if}
</td> </td>
<td class="author"> <td class="author">
{if $blamecommit} {if $blamecommit}
{$blamecommit->GetAuthor()} {$blamecommit->GetAuthor()}
{/if} {/if}
</td> </td>
<td class="num"><a id="l{$smarty.foreach.blob.iteration}" href="#l{$smarty.foreach.blob.iteration}" class="linenr">{$smarty.foreach.blob.iteration}</a></td> <td class="num"><a id="l{$smarty.foreach.blob.iteration}" href="#l{$smarty.foreach.blob.iteration}" class="linenr">{$smarty.foreach.blob.iteration}</a></td>
<td class="codeline">{$blobline|escape}</td> <td class="codeline">{$blobline|escape}</td>
</tr> </tr>
{/foreach} {/foreach}
</table> </table>
{/if} {/if}
</div> </div>
   
{/block} {/block}
   
{* {*
* blob.tpl * blob.tpl
* gitphp: A PHP git repository browser * gitphp: A PHP git repository browser
* Component: Blob view template * Component: Blob view template
* *
* Copyright (C) 2009 Christopher Han <xiphux@gmail.com> * Copyright (C) 2009 Christopher Han <xiphux@gmail.com>
*} *}
{extends file='projectbase.tpl'} {extends file='projectbase.tpl'}
   
{block name=css} {block name=css}
{if $geshicss} {if $geshicss}
<style type="text/css"> <style type="text/css">
{$geshicss} {$geshicss}
</style> </style>
{/if} {/if}
{/block} {/block}
   
{block name=javascriptpaths} {block name=javascriptpaths}
{if file_exists('js/blob.min.js')} {if file_exists('js/blob.min.js')}
GitPHPJSPaths.blob = "blob.min"; GitPHPJSPaths.blob = "blob.min";
{/if} {/if}
{/block} {/block}
{block name=javascriptmodules} {block name=javascriptmodules}
GitPHPJSModules = ['blob']; GitPHPJSModules = ['blob'];
{/block} {/block}
   
{block name=main} {block name=main}
   
<div class="page_nav"> <div class="page_nav">
{include file='nav.tpl' treecommit=$commit} {include file='nav.tpl' treecommit=$commit}
<br /> <br />
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()}">{t}plain{/t}</a> | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}">{t}plain{/t}</a> |
{if ($commit->GetHash() != $head->GetHash()) && ($head->PathToHash($blob->GetPath()))} {if ($commit->GetHash() != $head->GetHash()) && ($head->PathToHash($blob->GetPath()))}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;hb=HEAD&amp;f={$blob->GetPath()}">{t}HEAD{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;hb=HEAD&amp;f={$blob->GetPath()|escape:'url'}">{t}HEAD{/t}</a>
{else} {else}
{t}HEAD{/t} {t}HEAD{/t}
{/if} {/if}
{if $blob->GetPath()} {if $blob->GetPath()}
| <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=history&amp;h={$commit->GetHash()}&amp;f={$blob->GetPath()}">{t}history{/t}</a> | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=history&amp;h={$commit->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}">{t}history{/t}</a>
{if !$datatag} | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blame&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()}&amp;hb={$commit->GetHash()}" id="blameLink">{t}blame{/t}</a>{/if} {if !$datatag} | <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blame&amp;h={$blob->GetHash()}&amp;f={$blob->GetPath()|escape:'url'}&amp;hb={$commit->GetHash()}" id="blameLink">{t}blame{/t}</a>{/if}
{/if} {/if}
<br /> <br />
</div> </div>
   
{include file='title.tpl' titlecommit=$commit} {include file='title.tpl' titlecommit=$commit}
   
{include file='path.tpl' pathobject=$blob target='blobplain'} {include file='path.tpl' pathobject=$blob target='blobplain'}
   
<div class="page_body"> <div class="page_body">
{if $datatag} {if $datatag}
{* We're trying to display an image *} {* We're trying to display an image *}
<div> <div>
<img src="data:{$mime};base64,{$data}" /> <img src="data:{$mime};base64,{$data}" />
</div> </div>
{elseif $geshi} {elseif $geshi}
{* We're using the highlighted output from geshi *} {* We're using the highlighted output from geshi *}
{$geshiout} {$geshiout}
{else} {else}
{* Just plain display *} {* Just plain display *}
<table class="code" id="blobData"> <table class="code" id="blobData">
<tbody> <tbody>
<tr class="li1"> <tr class="li1">
<td class="ln"> <td class="ln">
<pre class="de1"> <pre class="de1">
{foreach from=$bloblines item=line name=bloblines} {foreach from=$bloblines item=line name=bloblines}
<a id="l{$smarty.foreach.bloblines.iteration}" href="#l{$smarty.foreach.bloblines.iteration}" class="linenr">{$smarty.foreach.bloblines.iteration}</a> <a id="l{$smarty.foreach.bloblines.iteration}" href="#l{$smarty.foreach.bloblines.iteration}" class="linenr">{$smarty.foreach.bloblines.iteration}</a>
{/foreach} {/foreach}
</pre></td> </pre></td>
<td class="de1"> <td class="de1">
<pre class="de1"> <pre class="de1">
{foreach from=$bloblines item=line name=bloblines} {foreach from=$bloblines item=line name=bloblines}
{$line|escape} {$line|escape}
{/foreach} {/foreach}
</pre> </pre>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
{/if} {/if}
</div> </div>
   
{/block} {/block}
   
{* {*
* Path * Path
* *
* Path template * Path template
* *
* @author Christopher Han <xiphux@gmail.com> * @author Christopher Han <xiphux@gmail.com>
* @copyright Copyright (c) 2010 Christopher Han * @copyright Copyright (c) 2010 Christopher Han
* @package GitPHP * @package GitPHP
* @subpackage Template * @subpackage Template
*} *}
<div class="page_path"> <div class="page_path">
{if $pathobject} {if $pathobject}
{assign var=pathobjectcommit value=$pathobject->GetCommit()} {assign var=pathobjectcommit value=$pathobject->GetCommit()}
{assign var=pathobjecttree value=$pathobjectcommit->GetTree()} {assign var=pathobjecttree value=$pathobjectcommit->GetTree()}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;hb={$pathobjectcommit->GetHash()}&amp;h={$pathobjecttree->GetHash()}"><strong>[{$project->GetProject()}]</strong></a> / <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;hb={$pathobjectcommit->GetHash()}&amp;h={$pathobjecttree->GetHash()}"><strong>[{$project->GetProject()}]</strong></a> /
{foreach from=$pathobject->GetPathTree() item=pathtreepiece} {foreach from=$pathobject->GetPathTree() item=pathtreepiece}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;hb={$pathobjectcommit->GetHash()}&amp;h={$pathtreepiece->GetHash()}&amp;f={$pathtreepiece->GetPath()}"><strong>{$pathtreepiece->GetName()}</strong></a> / <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;hb={$pathobjectcommit->GetHash()}&amp;h={$pathtreepiece->GetHash()}&amp;f={$pathtreepiece->GetPath()|escape:'url'}"><strong>{$pathtreepiece->GetName()|escape}</strong></a> /
{/foreach} {/foreach}
{if $pathobject instanceof GitPHP_Blob} {if $pathobject instanceof GitPHP_Blob}
{if $target == 'blobplain'} {if $target == 'blobplain'}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$pathobject->GetHash()}&amp;hb={$pathobjectcommit->GetHash()}&amp;f={$pathobject->GetPath()}"><strong>{$pathobject->GetName()}</strong></a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$pathobject->GetHash()}&amp;hb={$pathobjectcommit->GetHash()}&amp;f={$pathobject->GetPath()|escape:'url'}"><strong>{$pathobject->GetName()|escape}</strong></a>
{elseif $target == 'blob'} {elseif $target == 'blob'}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;h={$pathobject->GetHash()}&amp;hb={$pathobjectcommit->GetHash()}&amp;f={$pathobject->GetPath()}"><strong>{$pathobject->GetName()}</strong></a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;h={$pathobject->GetHash()}&amp;hb={$pathobjectcommit->GetHash()}&amp;f={$pathobject->GetPath()|escape:'url'}"><strong>{$pathobject->GetName()|escape}</strong></a>
{else} {else}
<strong>{$pathobject->GetName()}</strong> <strong>{$pathobject->GetName()|escape}</strong>
{/if} {/if}
{elseif $pathobject->GetName()} {elseif $pathobject->GetName()}
{if $target == 'tree'} {if $target == 'tree'}
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;hb={$pathobjectcommit->GetHash()}&amp;h={$pathobject->GetHash()}&amp;f={$pathobject->GetPath()}"><strong>{$pathobject->GetName()}</strong></a> / <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;hb={$pathobjectcommit->GetHash()}&amp;h={$pathobject->GetHash()}&amp;f={$pathobject->GetPath()|escape:'url'}"><strong>{$pathobject->GetName()|escape}</strong></a> /
{else} {else}
<strong>{$pathobject->GetName()}</strong> / <strong>{$pathobject->GetName()|escape}</strong> /
{/if} {/if}
{/if} {/if}
{else} {else}
&nbsp; &nbsp;
{/if} {/if}
</div> </div>
   
{* {*
* Tree list * Tree list
* *
* Tree filelist template fragment * Tree filelist template fragment
* *
* @author Christopher Han <xiphux@gmail.com> * @author Christopher Han <xiphux@gmail.com>
* @copyright Copyright (c) 2010 Christopher Han * @copyright Copyright (c) 2010 Christopher Han
* @package GitPHP * @package GitPHP
* @subpackage Template * @subpackage Template
*} *}
   
{foreach from=$tree->GetContents() item=treeitem} {foreach from=$tree->GetContents() item=treeitem}
<tr class="{cycle values="light,dark"}"> <tr class="{cycle values="light,dark"}">
<td class="monospace perms">{$treeitem->GetModeString()}</td> <td class="monospace perms">{$treeitem->GetModeString()}</td>
{if $treeitem instanceof GitPHP_Blob} {if $treeitem instanceof GitPHP_Blob}
<td class="filesize">{$treeitem->GetSize()}</td> <td class="filesize">{$treeitem->GetSize()}</td>
<td></td> <td></td>
<td class="list fileName"> <td class="list fileName">
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()}" class="list">{$treeitem->GetName()}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}" class="list">{$treeitem->GetName()}</a>
</td> </td>
<td class="link"> <td class="link">
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()}">{t}blob{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}">{t}blob{/t}</a>
| |
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=history&amp;h={$commit->GetHash()}&amp;f={$treeitem->GetPath()}">{t}history{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=history&amp;h={$commit->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}">{t}history{/t}</a>
| |
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$treeitem->GetHash()}&amp;f={$treeitem->GetPath()}">{t}plain{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=blob_plain&amp;h={$treeitem->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}">{t}plain{/t}</a>
</td> </td>
{elseif $treeitem instanceof GitPHP_Tree} {elseif $treeitem instanceof GitPHP_Tree}
<td class="filesize"></td> <td class="filesize"></td>
<td class="expander"></td> <td class="expander"></td>
<td class="list fileName"> <td class="list fileName">
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()}" class="treeLink">{$treeitem->GetName()}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}" class="treeLink">{$treeitem->GetName()}</a>
</td> </td>
<td class="link"> <td class="link">
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()}">{t}tree{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=tree&amp;h={$treeitem->GetHash()}&amp;hb={$commit->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}">{t}tree{/t}</a>
| |
<a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=snapshot&amp;h={$treeitem->GetHash()}&amp;f={$treeitem->GetPath()}" class="snapshotTip">{t}snapshot{/t}</a> <a href="{$SCRIPT_NAME}?p={$project->GetProject()|urlencode}&amp;a=snapshot&amp;h={$treeitem->GetHash()}&amp;f={$treeitem->GetPath()|escape:'url'}" class="snapshotTip">{t}snapshot{/t}</a>
</td> </td>
{/if} {/if}
</tr> </tr>
{/foreach} {/foreach}
   
comments