Disallow control, whitespace, and /, \, and : in distribution names.

Changes

@@ -2,6 +2,8 @@ Revision history for Perl extension PGXN::Manager
 
 0.12.7
       - Upgraded to jQuery 1.6.
+      - Distributions names containing control characters, whitespace
+        characters, /, \, and : are now disallowed.
 
 0.12.6  2011-05-03T21:06:43
       - Fixed a bug where reindexing a distribution would cause the release

lib/PGXN/Manager/Distribution.pm

@@ -166,6 +166,17 @@ sub normalize {
         return;
     }
 
+    # Validate the distribution name.
+    if (length $meta->{name} < 2
+            || $meta->{name} =~ m{[\p{Cntrl}\p{Space}\p{Blank}/\\:]}
+    ) {
+        $self->error([
+            '"[_1]" is an invalid distribution name',
+            $meta->{name}
+        ]);
+        return;
+    }
+
     my $meta_modified = 0;
     # Does the version need normalizing?
     my $normal = SemVer->declare($meta->{version})->normal;

lib/PGXN/Manager/Locale.pm

@@ -22,6 +22,7 @@ our %Lexicon = (
     contact_page_title => 'How to get in touch with the responsible parties',
     '"[_1]" is missing the required [numerate,_2,key] [qlist,_3]' => '“[_1]” is missing the required [numerate,_2,key] [qlist,_3]',
     '"[_1]" is missing the required [numerate,_2,key] [qlist,_3] under [_4]' => '“[_1]” is missing the required [numerate,_2,key] [qlist,_3] under [_4]',
+    '"[_1]" is an invalid distribution name' => '“[_1]” is not a valid distribution name. Distribution names must be at least two characters and may not contain unprintable or whitespace characters or /, \\, or :.',
     howto_page_title => 'How to create PostgreSQL extensions and distribute them on PGXN',
     howto_body => q{<p>PGXN is the PostgreSQL Extension Network. If you&#8217;re a PostgreSQL developer, you&#8217;ve no doubt created customizations to make your life simpler. This is possible because PostgreSQL today is not merely a database, it’s an application development platform. If you&#8217;d like to distribute such customizations in open-source releases for your fellow PostgreSQL enthusiasts to enjoy, PGXN is the place to do it.</p>
 

sql/05-distributions.sql

@@ -12,7 +12,9 @@ CREATE TYPE relstatus AS ENUM(
 );
 
 CREATE TABLE distributions (
-    name        CITEXT      NOT NULL,
+    name        CITEXT      NOT NULL CHECK (
+         length(name) >=2 AND name !~ '[[:space:][:blank:][:cntrl:]/\\:]'
+    ),
     version     SEMVER      NOT NULL,
     abstract    TEXT        NOT NULL DEFAULT '',
     description TEXT        NOT NULL DEFAULT '',

t/distribution.t

@@ -2,8 +2,8 @@
 
 use 5.12.0;
 use utf8;
-#use Test::More tests => 242;
-use Test::More 'no_plan';
+use Test::More tests => 284;
+#use Test::More 'no_plan';
 use Archive::Zip qw(:ERROR_CODES);
 use HTTP::Headers;
 use Test::File;
@@ -243,6 +243,37 @@ is_deeply [sort $dist->zip->memberNames ], [
 ], 'All of the files should have the new prefix';
 is $updated, 0, '_update_meta() should not have been called';
 
+# Try invalid distribution names.
+my $dmeta = {
+    version => '1.2.2',
+    license => 'bsd',
+    maintainer => 'Someone',
+    abstract   => 'Not the blues',
+};
+for my $name (
+    '@honky/tonk#', # Slash
+    'h',            # too short
+    "foo\0bar",     # unprintable
+    'foo bar',      # whitespace
+    'foo:bar',      # colon
+    'foo\\bar',     # backslash
+) {
+    $dmeta->{name} = $name;
+    $dzip->memberNamed('widget-0.2.5/META.json')->contents(encode_json $dmeta);
+    $dzip->writeToFileNamed($badmetazip) == AZ_OK or die 'write error';
+    ok $dist = new_dist($badmetazip), qq{Create dist with bad name "$name"};
+    ok $dist->extract, '... Extract it';
+    ok $dist->read_meta, '... Read its meta data';
+    ok !$dist->normalize, '... Should get false from normalize()';
+    is_deeply scalar $dist->error, [
+        '"[_1]" is an invalid distribution name',
+        $name,
+    ], '... Sould get invalid name error';
+    is $dist->localized_error,
+        "“$name” is not a valid distribution name. Distribution names must be at least two characters and may not contain unprintable or whitespace characters or /, \\, or :.",
+            '... Should get the localized invalid name message';
+}
+
 # Try an archive with keys missing from the META.json.
 $dzip->memberNamed('widget-0.2.5/META.json')->contents(encode_json {
     name => 'whatever',

t/distributions.pg

@@ -1,7 +1,7 @@
 SET search_path = public,contrib,tap;
 
 BEGIN;
-SELECT plan(86);
+SELECT plan(92);
 --SELECT * FROM no_plan();
 
 SELECT has_enum('relstatus');
@@ -96,6 +96,24 @@ SELECT ok(
     'TRIGGER'
 ]) AS priv;
 
+-- Test CHECK.
+INSERT INTO users (nickname, password, full_name, email, set_by)
+VALUES ('theory', '', '', 'foo@example.com', 'theory');
+
+SELECT throws_like(
+    $$ INSERT INTO distributions (name, version, creator, sha1, meta)
+       VALUES($$ || quote_literal(bad) || $$, '1.0.0', 'theory', 'bar', 'baz')$$,
+    '%distributions_name_check%',
+    'Should get exception for name "' || bad || 'h"'
+) FROM unnest(ARRAY[
+    'h',           -- too short
+    'foo/bar',     -- slash
+    'foo:bar',     -- colon
+    'foo\bar',     -- backslash
+    'foo bar',     -- whitespace
+    E'foo\x0abar'  -- unprintable
+]) AS bad;
+
 /****************************************************************************/
 -- Test distribution_tags.
 SELECT has_table('public', 'distribution_tags', 'Should have table public.distribution_tags');
@@ -134,6 +152,7 @@ SELECT fk_ok(
 
 SELECT has_index('distribution_tags', 'idx_distribution_tags_tag');
 SELECT index_is_type('distribution_tags', 'idx_distribution_tags_tag', 'btree');
+
 -- Check privileges.
 SELECT ok(
     has_table_privilege('pgxn', 'distribution_tags', 'SELECT'),

t/distributions.t

@@ -184,7 +184,7 @@ ok $dist = PGXN::Manager::Distribution->new(
     archive  => $distzip,
     basename => 'pgTAP-0.35.0.zip',
 ), 'Create a pgTAP-0.35.0 distribution for admin';
-ok $dist->process, 'Process the pgTAP-0.35.0 distribution';
+ok $dist->process, 'Process the pgTAP-0.35.0 distribution' or diag $dist->localized_error;
 
 ##################################################################################
 # Okay, now have the user fetch the list again.