Permalink
Browse files

Limit version strings to [a-zA-Z0-9._+-]+ see #51

  • Loading branch information...
1 parent 782249d commit 2d4d51543e137bf5d3751b7d5f58abce92752130 @ato ato committed Jun 17, 2012
Showing with 34 additions and 3 deletions.
  1. +20 −3 src/clojars/db.clj
  2. +14 −0 test/clojars/test/integration/uploads.clj
View
23 src/clojars/db.clj
@@ -207,10 +207,27 @@
:jar_name name
:version version})))
+(defn- validate [x re message]
+ (when-not (re-matches re x)
+ (throw (Exception. (str message " (" re ")")))))
+
(defn add-jar [account jarmap & [check-only]]
- (when-not (re-matches #"^[a-z0-9-_.]+$" (:name jarmap))
- (throw (Exception. (str "Jar names must consist solely of lowercase "
- "letters, numbers, hyphens and underscores."))))
+ ;; We're on purpose *at least* as restrictive as the recommendations on
+ ;; https://maven.apache.org/guides/mini/guide-naming-conventions.html
+ ;; If you want loosen these please include in your proposal the
+ ;; ramifications on usability, security and compatiblity with filesystems,
+ ;; OSes, URLs and tools.
+ (validate (:name jarmap) #"^[a-z0-9_.-]+$"
+ (str "Jar names must consist solely of lowercase "
+ "letters, numbers, hyphens and underscores."))
+ ;; Maven's pretty accepting of version numbers, but so far in 2.5 years
+ ;; bar one broken non-ascii exception only these characters have been used.
+ ;; Even if we manage to support obscure characters some filesystems do not
+ ;; and some tools fail to escape URLs properly. So to keep things nice and
+ ;; compatible for everyone let's lock it down.
+ (validate (:version jarmap) #"^[a-zA-Z0-9_.+-]+$"
+ (str "Version strings must consist solely of letters, "
+ "numbers, dots, pluses, hyphens and underscores."))
(transaction
(if check-only
(do (rollback)
View
14 test/clojars/test/integration/uploads.clj
@@ -139,6 +139,20 @@
:password "password"}}
:local-repo help/local-repo))))
+(deftest deploy-requires-ascii-version
+ (-> (session clojars-app)
+ (register-as "dantheman" "test@example.org" "password" ""))
+ (is (thrown-with-msg? org.sonatype.aether.deployment.DeploymentException
+ #"Forbidden"
+ (aether/deploy
+ :coordinates '[fake/test "1.α.0"]
+ :jar-file (io/file (io/resource "test.jar"))
+ :pom-file (io/file (io/resource "test-0.0.1/test.pom"))
+ :repository {"test" {:url (str "http://localhost:" test-port "/repo")
+ :username "dantheman"
+ :password "password"}}
+ :local-repo help/local-repo))))
+
(deftest put-on-html-fails
(-> (session clojars-app)
(visit "/repo/group/artifact/1.0.0/injection.html" :request-method :put)

0 comments on commit 2d4d515

Please sign in to comment.