[api] validate package name on createpatchinfo call.

: in package names are only permitted for special packages
openSUSE · Jan 9, 2012 · 1356e33 · 1356e33
1 parent 188c9a3
commit 1356e33
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/src/api/app/controllers/source_controller.rb b/src/api/app/controllers/source_controller.rb
@@ -1859,6 +1859,12 @@ def index_project_createpatchinfo
       pkg_name = params[:name]
     end
 
+    unless valid_package_name? pkg_name
+      render_error :status => 400, :errorcode => "invalid_package_name",
+        :message => "invalid package name '#{pkg_name}'"
+      return
+    end
+
     # create patchinfo package
     pkg = nil
     if DbPackage.exists_by_project_and_name( params[:project], pkg_name )
@@ -2302,7 +2308,7 @@ def valid_package_name? name
     return true if name == "_product"
     return true if name =~ /^_product:\w[-_+\w\.:]*$/
     return true if name =~ /^_patchinfo:\w[-_+\w\.:]*$/ # obsolete, just for backward compatibility
-    name =~ /^\w[-_+\w\.:]*$/
+    name =~ /^\w[-_+\w\.]*$/
   end
 
   # load last package meta file and just check if sourceaccess flag was used at all, no per user checking atm

diff --git a/src/api/test/functional/maintenance_test.rb b/src/api/test/functional/maintenance_test.rb
@@ -731,6 +731,18 @@ def test_create_maintenance_project_and_release_packages
     assert_response :success
   end
 
+  def test_create_invalid_patchinfo
+    prepare_request_with_user "tom", "thunder"
+    # collons in patchinfo names are not allowed but common mistake
+    post "https://api.opensuse.org/source/home:tom?cmd=createpatchinfo&force=1&name=home:tom"
+    assert_response 400
+    assert_tag :tag => "status", :attributes => { :code => "invalid_package_name" }
+
+    post "https://api.opensuse.org/source/home:tom?cmd=createpatchinfo&force=1&name=home:tom"
+    assert_response 400
+    assert_tag :tag => "status", :attributes => { :code => "invalid_package_name" }
+  end
+
   def test_create_invalid_submit_request
     prepare_request_with_user "tom", "thunder"
     # without specifing target, the default target must get found via attribute