[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

issue-2897: lack of escaping in construct_rooted_path_segments

From: David Glasser <glasser_at_davidglasser.net>
Date: Fri, 4 Jan 2008 17:36:11 -0500

The new construct_rooted_path_segments interpolates pathnames (in
fact, probably RA-user-specified pathnames) directly into a query
string. This will be a security hole.

If this code continues to exist, it should be fixed to return two
things: a string like "(?,?,?,?)" and an array of parent paths to
bind.

I wouldn't actually recommend prioritizing fixing this, since I plan
to reimplement svn_fs_mergeinfo_get_commit_and_merge_ranges without
SQLite anyway. But if that doesn't happen and we end up actually
using this backend, this is a must-fix.

This is now tracked in issue #3063; I added a warning comment in r28753.

--dave

-- 
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-01-04 23:36:21 CET

This is an archived mail posted to the Subversion Dev mailing list.