[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SV: Re: SV: Re: SV: Re: Integration with Bugtracking Systems / Issue trackers

From: Hans-Emil Skogh <Hans-Emil.Skogh_at_tritech.se>
Date: 2006-08-25 08:52:29 CEST

> I totally agree so I suggest implementing it sufficiently
> generic that it will work for more than just what I want
> to use it for, just in a way that does not throw me back
> at the hooks, I don't like them for this ;-)

Better put on your hook reflecting suit before reading this then... =)

> So this is now my proposal:
> Introduce three properties:
> Property: tsvn:linkedapp:x
> where x is 1, 2, 3; this allowing for multiple buttons to be
> added through this feature
> Value:
> first line: path and filename to an executable file
> second line, optional: button caption

Ok. Suppose an open source project decides to use this feature.
I join the project, upload some malicious executable to the repository*
and changes the tsvn:linkedapp:x-property to point to the evil exe.

* This is a voluntary step as there probably are naughty enough exes on
most machines waiting to be exploited.

> It should be possible for this to be either an executable
> binary (file://) or some web page (http://).
> To make this really work the first line of the property
> value must allow for some escape characters to be used.
> %BUGID%
> %USERNAME%
> %PASSWORD%
> %REPOS% (the repository URL)

Whoo! Or almost better! I'll just change the property to send your
username and password to a webpage under my control where I log them and
redirect you to the original page.

Properties are a powerful thing, but with great powers come great
responsibilities. ;-)

Basically though I like your idea, but I do think we need some thought
thru security policies before putting things like
file-execution-configurations in the repository...

Hooks seems to be the safer way to go as the user (or his sysadmin in
the case of companies) actively will have to install them.

> Once I get some agreement that this might indeed be a good
> feature, can I code it and contribute, or how does that work?

You submit a patch here on the list, Stefan will have a look at it, and
if it's any good it will be accepted and added. Simple as that.

Hans-Emil

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Fri Aug 25 08:52:05 2006

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.