Skip to content

Commit 519d05b

Browse files
glandiumgitster
glandium
authored and
gitster
committed
Replace ",<,>,& with their respective XML entities in DAV requests
If the repo url or the user email contain XML special characters, the remote DAV server is likely to reject the LOCK requests because the XML is then malformed. Signed-off-by: Mike Hommey <mh@glandium.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
1 parent d3c9634 commit 519d05b

1 file changed

Lines changed: 34 additions & 2 deletions

File tree

http-push.c

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,32 @@ enum dav_header_flag {
186186
DAV_HEADER_TIMEOUT = (1u << 2)
187187
};
188188

189+
static char *xml_entities(char *s)
190+
{
191+
struct strbuf buf = STRBUF_INIT;
192+
while (*s) {
193+
size_t len = strcspn(s, "\"<>&");
194+
strbuf_add(&buf, s, len);
195+
s += len;
196+
switch (*s) {
197+
case '"':
198+
strbuf_addstr(&buf, "&quot;");
199+
break;
200+
case '<':
201+
strbuf_addstr(&buf, "&lt;");
202+
break;
203+
case '>':
204+
strbuf_addstr(&buf, "&gt;");
205+
break;
206+
case '&':
207+
strbuf_addstr(&buf, "&amp;");
208+
break;
209+
}
210+
s++;
211+
}
212+
return strbuf_detach(&buf, NULL);
213+
}
214+
189215
static struct curl_slist *get_dav_token_headers(struct remote_lock *lock, enum dav_header_flag options)
190216
{
191217
struct strbuf buf = STRBUF_INIT;
@@ -1225,6 +1251,7 @@ static struct remote_lock *lock_remote(const char *path, long timeout)
12251251
struct remote_lock *lock = NULL;
12261252
struct curl_slist *dav_headers = NULL;
12271253
struct xml_ctx ctx;
1254+
char *escaped;
12281255

12291256
url = xmalloc(strlen(repo->url) + strlen(path) + 1);
12301257
sprintf(url, "%s%s", repo->url, path);
@@ -1259,7 +1286,9 @@ static struct remote_lock *lock_remote(const char *path, long timeout)
12591286
ep = strchr(ep + 1, '/');
12601287
}
12611288

1262-
strbuf_addf(&out_buffer.buf, LOCK_REQUEST, git_default_email);
1289+
escaped = xml_entities(git_default_email);
1290+
strbuf_addf(&out_buffer.buf, LOCK_REQUEST, escaped);
1291+
free(escaped);
12631292

12641293
sprintf(timeout_header, "Timeout: Second-%ld", timeout);
12651294
dav_headers = curl_slist_append(dav_headers, timeout_header);
@@ -1584,8 +1613,11 @@ static int locking_available(void)
15841613
struct curl_slist *dav_headers = NULL;
15851614
struct xml_ctx ctx;
15861615
int lock_flags = 0;
1616+
char *escaped;
15871617

1588-
strbuf_addf(&out_buffer.buf, PROPFIND_SUPPORTEDLOCK_REQUEST, repo->url);
1618+
escaped = xml_entities(repo->url);
1619+
strbuf_addf(&out_buffer.buf, PROPFIND_SUPPORTEDLOCK_REQUEST, escaped);
1620+
free(escaped);
15891621

15901622
dav_headers = curl_slist_append(dav_headers, "Depth: 0");
15911623
dav_headers = curl_slist_append(dav_headers, "Content-Type: text/xml");

0 commit comments

Comments
 (0)