Browse Source

SubmoduleAddCommand: Remove double-check of submodule name

Since v4.7.5.201810051826-r~3 (SubmoduleAddCommand: Reject submodule
URIs that look like cli options, 2018-09-24), SubmoduleAddCommand
checks submodule names for ".." path components in
assertValidSubmoduleName.  This additional check for the same is
redundant.

Change-Id: I993326a370978880b690dc133a81fa3025935bcb
Signed-off-by: Jonathan Nieder <jrn@gmail.com>
stable-5.2
Jonathan Nieder 6 years ago
parent
commit
51d656586b
  1. 15
      org.eclipse.jgit/src/org/eclipse/jgit/api/SubmoduleAddCommand.java

15
org.eclipse.jgit/src/org/eclipse/jgit/api/SubmoduleAddCommand.java

@ -179,21 +179,6 @@ public class SubmoduleAddCommand extends
// Use the path as the default.
name = path;
}
if (name.contains("/../") || name.contains("\\..\\") //$NON-NLS-1$ //$NON-NLS-2$
|| name.startsWith("../") || name.startsWith("..\\") //$NON-NLS-1$ //$NON-NLS-2$
|| name.endsWith("/..") || name.endsWith("\\..")) { //$NON-NLS-1$ //$NON-NLS-2$
// Submodule names are used to store the submodule repositories
// under $GIT_DIR/modules. Having ".." in submodule names makes a
// vulnerability (CVE-2018-11235
// https://bugs.eclipse.org/bugs/show_bug.cgi?id=535027#c0)
// Reject the names with them. The callers need to make sure the
// names free from these. We don't automatically replace these
// characters or canonicalize by regarding the name as a file path.
// Since Path class is platform dependent, we manually check '/' and
// '\\' patterns here.
throw new IllegalArgumentException(MessageFormat
.format(JGitText.get().invalidNameContainsDotDot, name));
}
try {
SubmoduleValidator.assertValidSubmoduleName(name);

Loading…
Cancel
Save