From: Philip Withnall <withnall@endlessm.com>
Date: Fri, 23 Jun 2017 14:55:19 +0000 (+0100)
Subject: lib/refs: Add runtime error checking for collection ID validity
X-Git-Tag: archive/raspbian/2022.1-3+rpi1~1^2~4^2~35^2~46
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=d0d5f54ce2b6c47ec80bfb0fce8e31049d39361d;p=ostree.git

lib/refs: Add runtime error checking for collection ID validity

Instead of treating it as a programming error — given that it’s user
input, that’s not really appropriate. This modifies write_ref() and
list_collection_refs() to implement validation.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Closes: #924
Approved by: cgwalters
---

diff --git a/src/libostree/ostree-repo-refs.c b/src/libostree/ostree-repo-refs.c
index 849d5d8f..491f22bd 100644
--- a/src/libostree/ostree-repo-refs.c
+++ b/src/libostree/ostree-repo-refs.c
@@ -769,6 +769,13 @@ _ostree_repo_write_ref (OstreeRepo                 *self,
 
   g_return_val_if_fail (remote == NULL || ref->collection_id == NULL, FALSE);
 
+  if (remote != NULL && !ostree_validate_remote_name (remote, error))
+    return FALSE;
+  if (ref->collection_id != NULL && !ostree_validate_collection_id (ref->collection_id, error))
+    return FALSE;
+  if (!ostree_validate_rev (ref->ref_name, error))
+    return FALSE;
+
   if (remote == NULL &&
       (ref->collection_id == NULL || g_strcmp0 (ref->collection_id, ostree_repo_get_collection_id (self)) == 0))
     {
@@ -928,11 +935,12 @@ ostree_repo_list_collection_refs (OstreeRepo    *self,
                                   GError       **error)
 {
   g_return_val_if_fail (OSTREE_IS_REPO (self), FALSE);
-  g_return_val_if_fail (match_collection_id == NULL ||
-                        ostree_validate_collection_id (match_collection_id, NULL), FALSE);
   g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), FALSE);
   g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
 
+  if (match_collection_id != NULL && !ostree_validate_collection_id (match_collection_id, error))
+    return FALSE;
+
   g_autoptr(GHashTable) ret_all_refs = NULL;
 
   ret_all_refs = g_hash_table_new_full (ostree_collection_ref_hash,