[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: cvs2svn.py patch

From: Greg Stein <gstein_at_lyra.org>
Date: 2002-04-15 08:44:34 CEST

On Sun, Apr 14, 2002 at 11:39:16AM -0400, Greg Hudson wrote:
> On Sun, 2002-04-14 at 05:27, Arkadiusz Miskiewicz wrote:
> > - pipe = os.popen('co -q -p%s %s' % (r, f), 'r', 102400)
> > + pipe = os.popen('co -q -p%s \'%s\'' % (r, f), 'r', 102400)
>
> This isn't a panacea; the filename could still contain single quotes.
>
> It would be much more robust if you could construct the arguments as a
> list rather than relying on the shell. Unfortunately, Python's "os"
> interface seems to be very much modeled on the Unix C library rather
> than what you'd get if you were designing an interface for Python; so,
> just as in C, you have to fork and exec yourself if you want to do
> things the robust way.

In the ViewCVS code, I have a popen module that uses fork/exec to protect
against shell syntax. It is definitely safer, which is a reqirement for a
program like ViewCVS :-)

Since the rcsparse module is already required from ViewCVS, it might make
some sense to also use popen. I'll take a look at it next time that I'm in
cvs2svn. (the swig bindings and cvs2svn definitely need to be reviewed to
check on their current state)

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 15 08:45:03 2002

This is an archived mail posted to the Subversion Dev mailing list.