Re: cvs2svn.py patch

From: Greg Stein <gstein_at_lyra.org>
Date: 2002-04-15 08:44:34 CEST

On Sun, Apr 14, 2002 at 11:39:16AM -0400, Greg Hudson wrote:
> On Sun, 2002-04-14 at 05:27, Arkadiusz Miskiewicz wrote:
> > - pipe = os.popen('co -q -p%s %s' % (r, f), 'r', 102400)
> > + pipe = os.popen('co -q -p%s \'%s\'' % (r, f), 'r', 102400)
>
> This isn't a panacea; the filename could still contain single quotes.
>
> It would be much more robust if you could construct the arguments as a
> list rather than relying on the shell. Unfortunately, Python's "os"
> interface seems to be very much modeled on the Unix C library rather
> than what you'd get if you were designing an interface for Python; so,
> just as in C, you have to fork and exec yourself if you want to do
> things the robust way.

In the ViewCVS code, I have a popen module that uses fork/exec to protect
against shell syntax. It is definitely safer, which is a reqirement for a
program like ViewCVS :-)

Since the rcsparse module is already required from ViewCVS, it might make
some sense to also use popen. I'll take a look at it next time that I'm in
cvs2svn. (the swig bindings and cvs2svn definitely need to be reviewed to
check on their current state)

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Mon Apr 15 08:45:03 2002

This message: [ Message body ]
Next message: Greg Stein: "Re: svn commit: rev 1699 - trunk/subversion/clients/cmdline"
Previous message: Karl Fogel: "Re: Diffs between branches?"
In reply to: Greg Hudson: "Re: cvs2svn.py patch"
Next in thread: Patrik Husfloen: "Re: cvs2svn.py patch"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]