Francois Gouget : testbot/web: Reject filenames that are not valid Windows filenames. - wine-commits

20 Jun 2018

Module: tools
Branch: master
Commit: 759fc680db14c71e66e4ca5afb141c85e0504308
URL:    https://source.winehq.org/git/tools.git/?a=commit;h=759fc680db14c71e66e4ca5a...
Author: Francois Gouget fgouget@codeweavers.com
Date:   Wed Jun 20 02:43:45 2018 +0200
testbot/web: Reject filenames that are not valid Windows filenames.
IsValidFileName() verifies that the filename is valid on both Windows
and Unix. This is necessary to ensure we will be able to upload the file
to the build and/or test VMs.
IsValidFileName() is defined in the Utils.pm module so it can be reused
where necessary.
Signed-off-by: Francois Gouget fgouget@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
testbot/lib/WineTestBot/Utils.pm | 25 ++++++++++++++++++++++++-
 testbot/web/Submit.pl            |  4 ++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/testbot/lib/WineTestBot/Utils.pm b/testbot/lib/WineTestBot/Utils.pm
index 8b0bfeb..962e6ff 100644
--- a/testbot/lib/WineTestBot/Utils.pm
+++ b/testbot/lib/WineTestBot/Utils.pm
@@ -28,7 +28,7 @@ WineTestBot::Utils - Utility functions
 use Exporter 'import';
 our @EXPORT = qw(MakeSecureURL SecureConnection GenerateRandomString
                  OpenNewFile CreateNewFile CreateNewLink CreateNewDir
-                 DurationToString BuildEMailRecipient);
+                 DurationToString BuildEMailRecipient IsValidFileName);
use Fcntl;
@@ -173,4 +173,27 @@ sub CreateNewDir($$)
   }
 }
+
+#
+# Shell helpers
+#
+
+=pod
+=over 12
+
+=item C<IsValidFileName()>
+
+Returns true if the filename is valid on Unix and Windows systems.
+
+This also ensures this is not a trick filename such as '../important/file'.
+
+=back
+=cut
+
+sub IsValidFileName($)
+{
+  my ($FileName) = @_;
+  return $FileName !~ m~[<>:"/\|?*]~;
+}
+
 1;
diff --git a/testbot/web/Submit.pl b/testbot/web/Submit.pl
index c16b99f..afebc72 100644
--- a/testbot/web/Submit.pl
+++ b/testbot/web/Submit.pl
@@ -514,10 +514,10 @@ sub ValidateAndGetFileName($$)
     $self->{ErrMessage} = "You must provide a file to test";
     return undef;
   }
-  if ($FileName =~ m=[/\]=)
+  if (!IsValidFileName($FileName))
   {
     $self->{ErrField} = $FieldName;
-    $self->{ErrMessage} = "The filename is invalid";
+    $self->{ErrMessage} = "The filename contains invalid characters";
     return undef;
   }
   my $PropertyDescriptor = CreateSteps()->GetPropertyDescriptorByName("FileName");

    