From: joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Sun, 22 Apr 2007 17:45:39 +0000 (+0000)
Subject: * In mercurial backend, untaint ipaddr when using it as the user for the
X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/commitdiff_plain/1e62d2bc0c3c5ff0ab52dfdfe82c8abbcb5b6c3a?hp=bad02f285615b839c3f4bfba6ac0638c73f4b57c

* In mercurial backend, untaint ipaddr when using it as the user for the
  commit. Thanks, Alexander Wirt. Closes: #420428
---

diff --git a/IkiWiki/Rcs/mercurial.pm b/IkiWiki/Rcs/mercurial.pm
index 84bf99c68..2e15085ec 100644
--- a/IkiWiki/Rcs/mercurial.pm
+++ b/IkiWiki/Rcs/mercurial.pm
@@ -72,7 +72,7 @@ sub rcs_commit ($$$;$$) { #{{{
 		$user = possibly_foolish_untaint($user);
 	}
 	elsif (defined $ipaddr) {
-		$user = "Anonymous from $ipaddr";
+		$user = "Anonymous from ".possibly_foolish_untaint($ipaddr);
 	}
 	else {
 		$user = "Anonymous";
diff --git a/debian/changelog b/debian/changelog
index 3bc1d5086..e4b0fc75f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,8 +3,10 @@ ikiwiki (1.51) UNRELEASED; urgency=low
   * Support setting svnpath to "" for wikis that are rooted at the top of
     their svn repositories, with no trunk directory.
   * Minor template improvements by Alessandro.
+  * In mercurial backend, untaint ipaddr when using it as the user for the
+    commit. Thanks, Alexander Wirt. Closes: #420428
 
- -- Joey Hess <joeyh@debian.org>  Wed, 18 Apr 2007 19:35:29 -0400
+ -- Joey Hess <joeyh@debian.org>  Sun, 22 Apr 2007 13:43:49 -0400
 
 ikiwiki (1.50) unstable; urgency=low