On Mon, 2009-12-14, I (Julian Foad) wrote:
> Jon Foster wrote:
> > It seems that mod_dav_svn doesn't escape special XML characters like
> > "<" and ">" in the error messages from hook scripts. This causes
> > corrupt XML to be sent across the wire. Here's a Wireshark capture
> > of the response to the PROPPATCH:
> [...]
> It looks like the problem has been there for years. I think this patch
> should fix it. Do you feel like writing a regression test?
I wrote one myself. Attached. I confirmed the bug, but I am having
trouble testing my test. It may be to do with the test suite not quite
properly supporting a build in a separate directory.
> [[[
> In mod_dav_svn, make error output from the post-commit hook XML-safe, to fix
> the "invalid XML" error that occurred if a post-commit error message
> contained "&" or "<" characters.
>
> * subversion/mod_dav_svn/merge.c
> (dav_svn__merge_response): XML-quote the error string.
> --This line, and those below, will be ignored--
>
> Index: subversion/mod_dav_svn/merge.c
> ===================================================================
> --- subversion/mod_dav_svn/merge.c (revision 889737)
> +++ subversion/mod_dav_svn/merge.c (working copy)
> @@ -252,7 +252,9 @@ dav_svn__merge_response(ap_filter_t *out
> post_commit_err_elem = apr_psprintf(pool,
> "<S:post-commit-err>%s"
> "</S:post-commit-err>",
> - post_commit_err);
> + apr_xml_quote_string(pool,
> + post_commit_err,
> + 0));
> }
> else
> {
> ]]]
- Julian
Received on 2009-12-17 16:22:31 CET