sanitize path and revision separately

Author: vladak

opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java

@@ -33,8 +33,7 @@
 import java.util.stream.Stream;
 
 /**
- * Represents a container for sanitizing methods for avoiding classifications as
- * taint bugs.
+ * Represents a container for sanitizing methods for avoiding classifications as taint bugs.
  */
 public class Laundromat {
 
@@ -62,14 +61,26 @@ public static String launderServerName(String value) {
 
     /**
      * Sanitize {@code value} where it will be used in subsequent OpenGrok
-     * (non-logging) processing.
+     * (non-logging) processing. The value is assumed to represent a revision string,
+     * not including file path.
      * @return {@code null} if null or else {@code value} with anything besides
      * alphanumeric or {@code :} characters removed.
      */
     public static String launderRevision(String value) {
         return replaceAll(value, "[^a-zA-Z0-9:]", "");
     }
 
+    /**
+     * Sanitize {@code value} where it will be used in subsequent OpenGrok
+     * (non-logging) processing. The value is assumed to represent a file path,
+     * not necessarily existent.
+     * @return {@code null} if null or else {@code value} with anything besides
+     * alphanumeric or {@code :} characters removed.
+     */
+    public static String launderPath(String value) {
+        return replaceAll(value, ESC_N_R_T_F, "");
+    }
+
     /**
      * Sanitize {@code value} where it will be used in a Lucene query.
      * @return {@code null} if null or else {@code value} with "pattern-breaking

opengrok-web/src/main/java/org/opengrok/web/PageConfig.java

@@ -232,34 +232,31 @@ public String getHeaderData() {
     }
 
     /**
-     * Extract file path and revision strings from the URL.
-     * @param data DiffData object
+     * Extract file path and revision strings from the URI. Basically the request URI looks like this:
+     * {@code http://$site/$webapp/diff/$resourceFile?r1=$fileA@$revA&r2=$fileB@$revB}
+     * The code extracts file path and revision from the URI.
+     * @param data DiffData object (output parameter)
      * @param context context path
      * @param filepath file path array (output parameter)
      * @return true if the extraction was successful, false otherwise
      * (in which case {@link DiffData#errorMsg} will be set)
      */
     private boolean getFileRevision(DiffData data, String context, String[] filepath) {
-        /*
-         * Basically the request URI looks like this:
-         * http://$site/$webapp/diff/$resourceFile?r1=$fileA@$revA&r2=$fileB@$revB
-         * The code below extracts file path and revision from the URI.
-         */
         for (int i = 1; i <= 2; i++) {
-            String p = Laundromat.launderRevision(req.getParameter(QueryParameters.REVISION_PARAM + i));
+            String p = req.getParameter(QueryParameters.REVISION_PARAM + i);
             if (p != null) {
                 int j = p.lastIndexOf("@");
                 if (j != -1) {
-                    filepath[i - 1] = p.substring(0, j);
-                    data.rev[i - 1] = p.substring(j + 1);
+                    filepath[i - 1] = Laundromat.launderPath(p.substring(0, j));
+                    data.rev[i - 1] = Laundromat.launderRevision(p.substring(j + 1));
                 }
             }
         }
 
         if (data.rev[0] == null || data.rev[1] == null
                 || data.rev[0].isEmpty() || data.rev[1].isEmpty()
                 || data.rev[0].equals(data.rev[1])) {
-            data.errorMsg = "Please pick two revisions to compare the changed "
+            data.errorMsg = "Please pick two revisions to compare the changes "
                     + "from the <a href=\"" + context + Prefix.HIST_L
                     + getUriEncodedPath() + "\">history</a>";
             return false;