David Glasser wrote:
> Do you think it's worth adding explicit notes to the comments in the
> hook templates the fact that the argument values should always be
> "$QUOTED" in the hook script?
>
> This is especially the case for the PROPNAME arguments to the revprop
> change scripts, which are essentially passed through blindly from the
> client. (There is a *client-side* validity check, which is
> irrelevant, and a check that it isn't an svn:wc: or svn:entry: prop;
> and perhaps mod_dav_svn imposes other restrictions that I'm not
> familiar with, but at least with svnserve a custom RA-driving client
> could totally set the "foo; rm -rf /;" property.
>
> --dave
+1.
Blair
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Nov 7 20:25:24 2007