You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by se...@apache.org on 2020/10/02 10:55:44 UTC
[whimsy] branch master updated: More untaints
This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new a9db6b1 More untaints
a9db6b1 is described below
commit a9db6b142be19e342fb7d1788d8acffd4cb8f89b
Author: Sebb <se...@apache.org>
AuthorDate: Fri Oct 2 11:55:35 2020 +0100
More untaints
---
lib/whimsy/asf/orgchart.rb | 4 +---
lib/whimsy/asf/podling.rb | 4 ++--
www/secretary/emeritus_check.cgi | 2 +-
www/secretary/ldap-names.cgi | 2 +-
www/secretary/memapp_check.cgi | 2 +-
www/secretary/public-names.cgi | 2 +-
www/secretary/workbench/views/actions/memapp.json.rb | 8 ++++----
7 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/lib/whimsy/asf/orgchart.rb b/lib/whimsy/asf/orgchart.rb
index 2ee0f66..7c6feba 100644
--- a/lib/whimsy/asf/orgchart.rb
+++ b/lib/whimsy/asf/orgchart.rb
@@ -13,9 +13,7 @@ module ASF # :nodoc:
# parse any changed YAML role files.
def self.load
@@source ||= ASF::SVN['personnel-duties']
- @@source.untaint
Dir[File.join(@@source, '*.txt')].each do |file|
- file.untaint # Since it's our own svn repo, trust it
name = file[/.*\/(.*?)\.txt/, 1]
next if @@duties[name] and @@duties[name]['mtime'] > File.mtime(file).to_f
data = Hash[*File.read(file).split(/^\[(.*)\]\n/)[1..-1].map(&:strip)]
@@ -25,7 +23,7 @@ module ASF # :nodoc:
@@duties[name] = data
end
- file = File.join(@@source, 'README').untaint
+ file = File.join(@@source, 'README')
unless @@desc['mtime'] and @@desc['mtime'] > File.mtime(file).to_f
data = Hash[*File.read(file).split(/^\[(.*)\]\n/)[1..-1].map(&:strip)]
if data['info'] then
diff --git a/lib/whimsy/asf/podling.rb b/lib/whimsy/asf/podling.rb
index 206a11e..6859c8c 100644
--- a/lib/whimsy/asf/podling.rb
+++ b/lib/whimsy/asf/podling.rb
@@ -52,6 +52,8 @@ module ASF
def initialize(node)
@name = node['name']
@resource = node['resource']
+ # Validate resource for later use resource can contain '-' and '.' (lucene.net)
+ raise ArgumentError, "Invalid resource #{@resource}" unless @resource =~ /\A[-.\w]+\z/
@sponsor = node['sponsor']
# Needed for matching against mailing list names
@resourceAliases = []
@@ -304,8 +306,6 @@ module ASF
# include: <tt>:ipClearance</tt>, <tt>:sourceControl</tt>, <tt>:wiki</tt>,
# <tt>:jira</tt>, <tt>:proposal</tt>, <tt>:website</tt>, <tt>:news</tt>
def podlingStatus
- # resource can contain '-'
- @resource.untaint if @resource =~ /\A[-\w]+\z/
incubator_content = ASF::SVN['incubator-podlings']
resource_yml = File.join(incubator_content, "#{@resource}.yml")
if File.exist?(resource_yml)
diff --git a/www/secretary/emeritus_check.cgi b/www/secretary/emeritus_check.cgi
index 74c7188..c37269e 100755
--- a/www/secretary/emeritus_check.cgi
+++ b/www/secretary/emeritus_check.cgi
@@ -75,7 +75,7 @@ _table_ do
end
_td do
if person.icla && person.icla.claRef
- file = ASF::ICLAFiles.match_claRef(person.icla.claRef.untaint)
+ file = ASF::ICLAFiles.match_claRef(person.icla.claRef)
if file
_a person.icla.claRef, href: ASF::SVN.svnpath!('iclas', file), target: '_blank'
else
diff --git a/www/secretary/ldap-names.cgi b/www/secretary/ldap-names.cgi
index a0a9f25..3c09e15 100755
--- a/www/secretary/ldap-names.cgi
+++ b/www/secretary/ldap-names.cgi
@@ -147,7 +147,7 @@ _html do
_a p.uid, href: '/roster/committer/' + p.uid
end
_td do
- file = ASF::ICLAFiles.match_claRef(claRef.untaint)
+ file = ASF::ICLAFiles.match_claRef(claRef)
if file
_a claRef, href: ASF::SVN.svnpath!('iclas', file)
else
diff --git a/www/secretary/memapp_check.cgi b/www/secretary/memapp_check.cgi
index b5a6cf2..c206e65 100755
--- a/www/secretary/memapp_check.cgi
+++ b/www/secretary/memapp_check.cgi
@@ -83,7 +83,7 @@ _table_ do
end
_td do
if person.icla && person.icla.claRef
- file = ASF::ICLAFiles.match_claRef(person.icla.claRef.untaint)
+ file = ASF::ICLAFiles.match_claRef(person.icla.claRef)
if file
_a person.icla.claRef, href: ASF::SVN.svnpath!('iclas', file), target: '_blank'
else
diff --git a/www/secretary/public-names.cgi b/www/secretary/public-names.cgi
index 5d775bb..6515c24 100755
--- a/www/secretary/public-names.cgi
+++ b/www/secretary/public-names.cgi
@@ -182,7 +182,7 @@ _html do
_a icla.id, href: "/roster/committer/#{icla.id}"
end
_td do
- file = ASF::ICLAFiles.match_claRef(icla.claRef.untaint)
+ file = ASF::ICLAFiles.match_claRef(icla.claRef)
if file
_a icla.claRef, href: ASF::SVN.svnpath!('iclas', file)
else
diff --git a/www/secretary/workbench/views/actions/memapp.json.rb b/www/secretary/workbench/views/actions/memapp.json.rb
index 1dd1497..b8f19fa 100644
--- a/www/secretary/workbench/views/actions/memapp.json.rb
+++ b/www/secretary/workbench/views/actions/memapp.json.rb
@@ -15,7 +15,7 @@ fileext = File.extname(@selected).downcase if @signature.empty?
# verify that a membership form under that name stem doesn't already exist
if "#@filename#{fileext}" =~ /\A\w[-\w]*\.?\w*\z/ # check taint requirements
# returns name if it matches as stem or fully (e.g. for directory)
- form = ASF::MemApps.search @filename.untaint
+ form = ASF::MemApps.search @filename
if form
_warn "documents/member_apps/#{form} already exists"
end
@@ -92,8 +92,8 @@ task "update cn=member,ou=groups,dc=apache,dc=org in LDAP" do
if ASF.memberids.include? @availid
_transcript ["#@availid already in group member"]
else
- ldap.bind("uid=#{env.user.untaint},ou=people,dc=apache,dc=org",
- env.password.untaint)
+ ldap.bind("uid=#{env.user},ou=people,dc=apache,dc=org",
+ env.password)
ldap.modify "cn=member,ou=groups,dc=apache,dc=org",
[LDAP.mod(LDAP::LDAP_MOD_ADD, 'memberUid', [@availid])]
@@ -148,7 +148,7 @@ end
task "svn commit memapp-received.text" do
meetings = ASF::SVN['Meetings']
- file = Dir["#{meetings}/2*/memapp-received.txt"].max.untaint
+ file = Dir["#{meetings}/2*/memapp-received.txt"].max
received = File.read(file)
if received =~ /^no\s+\w+\s+\w+\s+\w+\s+#{@availid}\s/
received[/^(no )\s+\w+\s+\w+\s+\w+\s+#{@availid}\s/,1] = 'yes'