Page MenuHomePhabricator

Do not allow users to enter things like "/" or ".." in the "Clone/Checkout" field in repositories
Closed, ResolvedPublic

Description

The clone/checkout field is used to name the directory a repository is checked out into, so it must only have acceptable directory names. For example, "test" and "platform-test" are fine, but "platform/test" and "platform/../../../../etc/passwd" are not. We currently allow users to enter unsuitable values into this field.


Original Report

My project name is test, before I set the repo config of Clone/Checkout, everything works well, but while I changed the config Clone/Checkout into platform/test, then git clone from http will failure.

correct:
git clone ssh://git@xxx.com:10222/diffusion/T/platform/test.git

failed:
git clone https://xxx.com/diffusion/T/platform/test.git

fatal: repository ' https://xxx.com/diffusion/T/platform/test.git/' not found

Event Timeline

xujinzheng raised the priority of this task from to Needs Triage.
xujinzheng updated the task description. (Show Details)
xujinzheng added a project: Phabricator.
xujinzheng added a subscriber: xujinzheng.
epriestley renamed this task from git clone (HTTP) failed while I set 'Clone/Checkout' values to Do not allow users to enter things like "/" or ".." in the "Clone/Checkout" field in repositories.Oct 20 2015, 2:05 PM
epriestley triaged this task as Normal priority.
epriestley updated the task description. (Show Details)
epriestley added a subscriber: epriestley.

See also T4245.

For reference, this repository name input:

a bcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890-=!@#$%^&*()_+`~,./<>?;':"[]{}\|

Silently produces a repository with this name on GitHub:

a-bcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890--_-.-
eadler added a project: Restricted Project.Jan 9 2016, 1:03 AM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.