FreshPorts can display a single commit based upon commit id, which is based upon the Message-Id of the commit email (for subversion and cvs) or the commit hash (for git). Commit ids are specified in the URL. Cached entries are stored on disk and are named after the commit. It is because are are using user-supplied data to check a file on disk that we need to sanitize the input. Otherwise, for example, they could ask for /etc/passwd.
That attack vector is sanitized by changing all all characters outsize [a-z,A-Z,0-9] to a dash.
The following shows the new and then old cache solution.
We could avoid this sanitization by first querying the database with the incoming query, after escaping the incoming value. If found, then check the cache. If not found, pull from database.
Checking the cache first seems to make the most sense.
[dan@test-nginx01:/var/db/freshports/cache/commits] $ ls -l total 1 drwxrwxr-- 2 www freshports 3 Jan 26 14:28 202101261404-10qe4gaf086359-repo-freebsd-org drwxrwxr-- 2 www freshports 2 Jan 26 14:28 202101261404.10QE4Gaf086359@repo.freebsd.org
These changed were committed recently.
