[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: hook security

From: Karl Fogel <kfogel_at_red-bean.com>
Date: 2007-11-07 21:35:19 CET

Blair Zajac <blair@orcaware.com> writes:
> David Glasser wrote:
>> Do you think it's worth adding explicit notes to the comments in the
>> hook templates the fact that the argument values should always be
>> "$QUOTED" in the hook script?
>>
>> This is especially the case for the PROPNAME arguments to the revprop
>> change scripts, which are essentially passed through blindly from the
>> client. (There is a *client-side* validity check, which is
>> irrelevant, and a check that it isn't an svn:wc: or svn:entry: prop;
>> and perhaps mod_dav_svn imposes other restrictions that I'm not
>> familiar with, but at least with svnserve a custom RA-driving client
>> could totally set the "foo; rm -rf /;" property.
>>
>> --dave
>
> +1.

+1

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Nov 7 21:35:36 2007

This is an archived mail posted to the Subversion Dev mailing list.