Restore rev param validation that was removed in r2840.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4542 e93f8b46-1217-0410-a6f0-8f06a7374b81

Restore rev param validation that was removed in r2840.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4542 e93f8b46-1217-0410-a6f0-8f06a7374b81
84dd413f · Jean-Philippe Lang · f7529c94 · 84dd413f · 84dd413f
Commit 84dd413f authored 14 years ago by Jean-Philippe Lang
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -196,7 +196,10 @@ class RepositoriesController < ApplicationController
    end
  end
  
-private
+  private
+
+  REV_PARAM_RE = %r{^[a-f0-9]*$}i
+
  def find_repository
    @project = Project.find(params[:id])
    @repository = @project.repository
@@ -205,6 +208,12 @@ private
    @path ||= ''
    @rev = params[:rev].blank? ? @repository.default_branch : params[:rev].strip
    @rev_to = params[:rev_to]
+    
+    unless @rev.to_s.match(REV_PARAM_RE) && @rev.to_s.match(REV_PARAM_RE)
+      if @repository.branches.blank?
+        raise InvalidRevisionParam
+      end
+    end
  rescue ActiveRecord::RecordNotFound
    render_404
  rescue InvalidRevisionParam

--- a/test/functional/repositories_subversion_controller_test.rb
+++ b/test/functional/repositories_subversion_controller_test.rb
@@ -166,6 +166,12 @@ class RepositoriesSubversionControllerTest < ActionController::TestCase
                            }
    end
    
+    def test_invalid_revision
+      get :revision, :id => 1, :rev => 'something_weird'
+      assert_response 500
+      assert_error_tag :content => /was not found/
+    end
+    
    def test_revision_with_repository_pointing_to_a_subdirectory
      r = Project.find(1).repository
      # Changes repository url to a subdirectory