lib/init.sh: sanitize the version string

the release functions in release.sh rely on the
version string *not* being a path containing slashes.
just a single string e.g. "foo", not e.g. "foo/bar"

this is because several checks there make that
assumption. in practise, we always ensure that tags
and such do not contain these characters.

however, someone else working on their own version
of xbmk might not know of this design flaw, so let's
try to correct it in code.

we can add more filtering as designed, in the relevant
function (xbmk_sanitize_version).

Signed-off-by: Leah Rowe <leah@libreboot.org>

2 files changed, 18 insertions, 0 deletions

diff --git a/include/init.sh b/include/init.sh
index 03c45c1a..264e98df 100644
--- a/include/init.sh
+++ b/include/init.sh
@@ -60,6 +60,8 @@ xbmk_get_version()
 	[ ! -e ".git" ] && [ ! -f ".version" ] && version="unknown"
 	[ ! -e ".git" ] && [ ! -f ".versiondate" ] && versiondate="1716415872"
 
+	xbmk_sanitize_version
+
 	[ -n "$version" ] && relname="$projectname-$version"; :
 }
 
diff --git a/include/lib.sh b/include/lib.sh
index 948d7f3f..a2b93a97 100644
--- a/include/lib.sh
+++ b/include/lib.sh
@@ -22,10 +22,26 @@ mkrom_tarball()
 
 update_xbmkver()
 {
+	xbmk_sanitize_version
+
 	printf "%s\n" "$version" > "$1/.version" || err "$1 !version"; :
 	printf "%s\n" "$versiondate" > "$1/.versiondate" || err "$1 !vdate"; :
 }
 
+xbmk_sanitize_version()
+{
+	[ -n "$version" ] || return 0; :
+
+	version="`printf "%s\n" "$version" | sed -e 's/\t//g'`"
+	version="`printf "%s\n" "$version" | sed -e 's/\ //g'`"
+	version="`printf "%s\n" "$version" | sed -e 's/\.\.//g'`"
+	version="`printf "%s\n" "$version" | sed -e 's/\.\///g'`"
+	version="`printf "%s\n" "$version" | sed -e 's/\//-/g'`"
+	version="${version#-}"
+
+	[ -n "$version" ] || err "'version' empty after sanitization"; :
+}
+
 mktarball()
 {
 	printf "Creating tar archive '%s' from directory '%s'\n" "$2" "$1"