--- /dev/null
+<?php
+/* Validation.class.php - phpgitweb
+ * Copyright (C) 2011-2012 Philipp Kreil (pk910)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+class Validation {
+
+ public static function validate_path($path) {
+ /* Path validation #1
+ * no '.' or '..' as elements of path, i.e. no '.' nor '..'
+ * at the beginning, at the end, and between slashes.
+ * also this catches doubled slashes
+ */
+ if(preg_match('#(^|/)(|\.|\.\.)(/|$)#', $path))
+ return false;
+
+ /* Path validation #2
+ * no null characters
+ */
+ if(preg_match('#\0#', $path))
+ return false;
+
+ return true;
+ }
+
+ public static function validate_hash($hash) {
+ /* Hash validation #1
+ * regular hashes [a-f0-9] are always ok
+ */
+ if(preg_match('#^[a-f0-9]{1,40}$#i', $hash))
+ return true;
+
+ /* Hash validation #2
+ * must be a valid path
+ */
+ if(!self::validate_path($hash))
+ return false;
+
+ /* Hash validation #3
+ * restrictions on ref name according to git-check-ref-format
+ */
+ if(preg_match('#(\.|\.\.|[\000-\040\177 ~^:?*\[\]]|/$)#', $hash))
+ return false;
+
+ return true;
+ }
+
+}
+
+?>
\ No newline at end of file
projects / phpgitweb.git / blobdiff