averello/gitstats-mirror
1
0
Fork 0
mirror of https://github.com/hoxu/gitstats.git synced 2026-03-01 18:23:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove backticks from author names passed to gnuplot.

Browse Source 
Without this, author names containing `touch /tmp/vulnerable` would cause said
file to appear after generating statistics for the given repository.

This is not an optimal solution. Instead of blacklisting characters we should
either whitelist some, or find a safe escape mechanism for gnuplot.
This commit is contained in:
Heikki Hokkanen
2013-12-21 15:04:04 +02:00
parent a664c2eb6b
commit 5ba386aede
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
gitstats
View File

@@ -1314,7 +1314,8 @@ plot """
plots = []
for a in self.authors_to_plot:
i = i + 1
plots.append("""'lines_of_code_by_author.dat' using 1:%d title "%s" w lines""" % (i, a.replace("\"", "\\\"")))
author = a.replace("\"", "\\\"").replace("`", "")
plots.append("""'lines_of_code_by_author.dat' using 1:%d title "%s" w lines""" % (i, author))
f.write(", ".join(plots))
f.write('\n')
@@ -1341,7 +1342,8 @@ plot """
plots = []
for a in self.authors_to_plot:
i = i + 1
plots.append("""'commits_by_author.dat' using 1:%d title "%s" w lines""" % (i, a.replace("\"", "\\\"")))
author = a.replace("\"", "\\\"").replace("`", "")
plots.append("""'commits_by_author.dat' using 1:%d title "%s" w lines""" % (i, author))
f.write(", ".join(plots))
f.write('\n')