[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: safe HTTP transport of lock comments

From: Julian Foad <julianfoad_at_btopenworld.com>
Date: 2005-02-17 23:40:02 CET

Ben Collins-Sussman wrote:
> Karl and I have been trying to come up with a coherent plan to deal
> with safely moving lock "comments" over the DAV layer. At the moment,
> they're not being xml-escaped at all, nor is there even a guarantee
> that these comments *can* be xml-escaped. [...]

Right. XML-escaping is needed.

> In a perfect world, we'd treat lock comments and log messages
> identically. At the moment, the only repository-side requirement is
> that these sorts of messages be UTF8... of course, that doesn't
> guarantee that DAV can safely transport them over XML. [...]

I assumed that we have a client-side (and therefore almost system-wide)
requirement that log messages don't contain characters that are disallowed in
XML. However, a quick test reveals that such characters are accepted by our
client and survive through the other RA methods.

My view is that allowing those characters to be put into log messages is
unnecessary (as they're not very useful) and erroneous (as they don't survive
over RA-DAV), so we shouldn't allow them. We should specify that the
characters allowed in log messages AND in lock comments are the printable and
basic white space characters, and we should enforce this in the client.

(As for the exact set of characters to allow, didn't we very recently define a
set like this and provide functions for it and use it to validate path names or

I think we might agree that the current acceptance of such characters in log
messages is a bug.

> The goal is a perfectly lossless transport of the lock comment over
> HTTP [...]

That's a fine goal, and can be achieved simply by enforcing the same
client-side validity check for lock comments that we (should/will) enforce for
log messages. Isn't that your perfect world?

- Julian

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Feb 17 23:46:44 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.