GerritPersonIdentProvider: Sanitize user.name and user.email values

The user.name and user.email values are taken as-is from the config without any sanitization, which would allow them to be configured with values that may interfere with standard email address parsing. Use JGit's PersonIdent#appendSanitized method to sanitize the values. Change-Id: If9c555aae26f1afcee1ec566154b43b7a11d2c71
2018-06-20 14:43:18 +09:00
parent 11a98d0c92
commit d6b455cb38
1 changed files with 10 additions and 6 deletions
--- a/gerrit-server/src/main/java/com/google/gerrit/server/GerritPersonIdentProvider.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/GerritPersonIdentProvider.java
@@ -14,6 +14,8 @@

 package com.google.gerrit.server;

+import static com.google.common.base.MoreObjects.firstNonNull;
+
 import com.google.gerrit.server.config.GerritServerConfig;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
@@ -30,12 +32,14 @@ public class GerritPersonIdentProvider implements Provider<PersonIdent> {

  @Inject
  public GerritPersonIdentProvider(@GerritServerConfig final Config cfg) {
-    String name = cfg.getString("user", null, "name");
-    if (name == null) {
-      name = "Gerrit Code Review";
-    }
-    this.name = name;
-    email = cfg.get(UserConfig.KEY).getCommitterEmail();
+    StringBuilder name = new StringBuilder();
+    PersonIdent.appendSanitized(
+        name, firstNonNull(cfg.getString("user", null, "name"), "Gerrit Code Review"));
+    this.name = name.toString();
+
+    StringBuilder email = new StringBuilder();
+    PersonIdent.appendSanitized(email, cfg.get(UserConfig.KEY).getCommitterEmail());
+    this.email = email.toString();
  }

  @Override