From 67caae5874fda7371cb543e248b1014ae17e14d7 Mon Sep 17 00:00:00 2001
From: Nathan Wagner <nw@hydaspes.if.org>
Date: Sat, 15 Sep 2018 09:48:36 +0000
Subject: [PATCH] check for disallowed characters in package ids

---
 lib/findpkg.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/findpkg.c b/lib/findpkg.c
index dec9283..865f407 100644
--- a/lib/findpkg.c
+++ b/lib/findpkg.c
@@ -30,6 +30,9 @@ int zpm_parse_package(char *pstr, char *name, char *ver, int *rel) {
 
 	/* everything up to the first '-' is in the name */
 	while (*pstr) {
+		if (*pstr == '\'' || !isgraph(*pstr)) {
+			return 0;
+		}
 		if (*pstr == '-' && isdigit(*(pstr+1))) {
 			break;
 		}
@@ -44,6 +47,9 @@ int zpm_parse_package(char *pstr, char *name, char *ver, int *rel) {
 		pstr++;
 	}
 	while (*pstr && *pstr != '-') {
+		if (*pstr == '\'' || !isgraph(*pstr)) {
+			return 0;
+		}
 		if (ver) {
 			*ver++ = *pstr;
 		}
-- 
2.40.0