traveral, and don't try to render a template.
$c->stash(Project => $c->model('GitRepos')->project($project));
};
if ($@) {
- $c->detach('error_404');
+ $c->detach('/error_404');
}
}
sub error_404 :Private {
my ($self, $c) = @_;
$c->response->status(404);
- $c->stash(
- title => 'Page not found',
- content => 'Page not found',
- );
+ $c->response->body('Page not found');
}
sub age_string {
=cut
method project (NonEmptySimpleStr $project) {
- my $path = $self->repo_dir->subdir($project);
+ my $path = $self->repo_dir->subdir($project)->resolve;
+ die "Directory traversal prohibited" unless $self->repo_dir->contains($path);
die "Not a valid Project" unless $self->_is_git_repo($path);
return Project->new( $self->repo_dir->subdir($project) );
}
my $project = $repo->project();
} 'throws exception for no project';
+dies_ok {
+ my $project = $repo->project('../../../');
+} 'throws exception for directory traversal';
+
my $project = $repo->project('repo1');
isa_ok($project, 'Gitalist::Git::Project');