github-mirror/fish-shell
2
0
Fork 0
mirror of https://github.com/fish-shell/fish-shell.git synced 2025-01-20 14:27:29 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

webconfig: Check variable name and value

Browse Source 
Theoretically if this only includes simple characters, it won't cause
any issues. We already validate in other places but it doesn't hurt to
do this twice.
This commit is contained in:
Fabian Homborg 2021-12-13 21:59:08 +01:00
parent c954d70e2f
commit 06fada7445
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
share/tools/web_config/webconfig.py
View File

@ -1150,7 +1150,15 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
# This is needed for 'fish_pager_color' vars.
if name.startswith("fish_"):
varname = name
# TODO: Check if the varname is allowable.
# Check if the varname is allowable.
varname = varname.strip()
if not re.match("^[a-zA-Z0-9_]+$", varname):
print("Refusing to use variable name: '", varname, "'")
return
color = color.strip()
if not re.match("^[a-zA-Z0-9_= -]*$", color):
print("Refusing to use color value: ", color)
return
command = "set -U " + varname
command += " " + color