Remove redundant filters -- single quotes are already removed in $pkgbuild_new and we do not pass the package name to a shell (additionally, the regular expression already checks for potentially evil characters).
Also, move the $pkg_name extraction up to fix the split package check. Signed-off-by: Lukas Fleischer <[email protected]> --- web/html/pkgsubmit.php | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index fefb31e..685d5cb 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -268,19 +268,13 @@ if ($uid): } } - # Now we've parsed the pkgbuild, let's move it to where it belongs - if (!$error && $pkg_name[0] == '(') { - $error = __("Error - The AUR does not support split packages!"); - } - + # Validate package name if (!$error) { - $pkg_name = str_replace("'", "", $new_pkgbuild['pkgname']); - $pkg_name = escapeshellarg($pkg_name); - $pkg_name = str_replace("'", "", $pkg_name); - - $presult = preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name); - - if (!$presult) { + $pkg_name = $new_pkgbuild['pkgname']; + if ($pkg_name[0] == '(') { + $error = __("Error - The AUR does not support split packages!"); + } + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name)) { $error = __("Invalid name: only lowercase letters are allowed."); } } -- 1.8.2.rc2.352.g908df73
