ui-shared: Avoid new line injection into redirect header

[ps-cgit] / ui-shared.c

diff --git a/ui-shared.c b/ui-shared.c
index c04f380be52defbcfb2afb9187b61529c24e68ed..21f581f07fbf98feba066796fd3d489dfd5efca7 100644 (file)
--- a/ui-shared.c
+++ b/ui-shared.c
@@ -525,7 +525,7 @@ void cgit_object_link(struct object *obj)
 {
        char *page, *shortrev, *fullrev, *name;
 
-       fullrev = sha1_to_hex(obj->sha1);
+       fullrev = oid_to_hex(&obj->oid);
        shortrev = xstrdup(fullrev);
        shortrev[10] = '\0';
        if (obj->type == OBJ_COMMIT) {
@@ -709,7 +709,9 @@ void cgit_print_http_headers(void)
 void cgit_redirect(const char *url, bool permanent)
 {
        htmlf("Status: %d %s\n", permanent ? 301 : 302, permanent ? "Moved" : "Found");
-       htmlf("Location: %s\n\n", url);
+       html("Location: ");
+       html_url_path(url);
+       html("\n\n");
        exit(0);
 }
 
@@ -889,6 +891,9 @@ void cgit_add_hidden_formfields(int incl_head, int incl_search,
 
 static const char *hc(const char *page)
 {
+       if (!ctx.qry.page)
+               return NULL;
+
        return strcmp(ctx.qry.page, page) ? NULL : "active";
 }