Sanitize branch name and ref name

author: Marin Jankovski <maxlazio@gmail.com> 2014-11-13 16:20:43 +0100
committer: Marin Jankovski <maxlazio@gmail.com> 2014-11-13 16:20:43 +0100
commit: 334fe86574227433bd2909577c5955c40721d509 (patch)
tree: ea50e69cec4f0f5e8df4195756d0f45a74fa3962 /app/controllers/projects/branches_controller.rb
parent: 9eb571f0ea49d182353d576739d412b914a46b62 (diff)
download: gitlab-ce-334fe86574227433bd2909577c5955c40721d509.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb
index 9ebd498e7fa..cff1a907dc2 100644
--- a/app/controllers/projects/branches_controller.rb
+++ b/app/controllers/projects/branches_controller.rb
@@ -1,4 +1,5 @@
 class Projects::BranchesController < Projects::ApplicationController
+  include ActionView::Helpers::SanitizeHelper
   # Authorize
   before_filter :require_non_empty_project
 
@@ -16,8 +17,10 @@ class Projects::BranchesController < Projects::ApplicationController
   end
 
   def create
+    branch_name = sanitize(strip_tags(params[:branch_name]))
+    ref = sanitize(strip_tags(params[:ref]))
     result = CreateBranchService.new(project, current_user).
-        execute(params[:branch_name], params[:ref])
+        execute(branch_name, ref)
 
     if result[:status] == :success
       @branch = result[:branch]
author	Marin Jankovski <maxlazio@gmail.com>	2014-11-13 16:20:43 +0100
committer	Marin Jankovski <maxlazio@gmail.com>	2014-11-13 16:20:43 +0100
commit	334fe86574227433bd2909577c5955c40721d509 (patch)
tree	ea50e69cec4f0f5e8df4195756d0f45a74fa3962 /app/controllers/projects/branches_controller.rb
parent	9eb571f0ea49d182353d576739d412b914a46b62 (diff)
download	gitlab-ce-334fe86574227433bd2909577c5955c40721d509.tar.gz