Re: Re: The Data Sanitization Plan

On Wed, Jun 26, 2002 at 01:33:10AM -0700, Greg Stein wrote:
> On Tue, Jun 25, 2002 at 01:55:23PM -0700, Bill Tutt wrote:
>
> > This escapes most of the data when necessary and still allows a little
> > fudge room from pasting in URIs from browser address bars.
> >
> > The only other alternative to that is a stat() like approach. i.e. see
> > if either non-escaped target, or the escaped target exist, and pick the
> > first one that exists as your winner.
>
> That doesn't work. What if you're importing? Does the new file need to be
> escaped, or not?
>

Or if they both exist.

POLA/UI-Consistency argues for escaping '%' as well.

The paste-from-browser problem is much harder: metacharacters in URLs
confuse command interpreters. We can't solve this problem. It doesn't
make sense to introduce inconsistency to svn over a problem that we
can't solve.

Let's say someone *does* paste a URL-encoded string onto the command-line:

$ svn co http://www.foo.com/repo%20name -d dir

They'll get an error message. It will be:

subversion/libsvn_ra_dav/options.c:126
svn_error: #21097 : <RA layer didn't receive requested OPTIONS info>
  The OPTIONS response did not include the requested activity-collection-set.
(Check the URL again; this often means that the URL is not WebDAV-enabled.)

This is probably good enough to convince the user that pasting URL-encoded
data is not such a good idea ("Check the URL again").

--ben

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 26 19:14:50 2002