Hi Karl
Thank you for the commit.
I found two comment errors.
See the attached patch.
Regards.
Masaru.
2007/11/13, Karl Fogel <kfogel@red-bean.com>:
> "David Glasser" <glasser@davidglasser.net> writes:
> >> A comma works fine if the whole list is double-quoted, and we should
> >> probably be quoting all parameters anyway to handle spaces in paths,
> >> etc. if APR isn't already.
> >
> > This behavior disturbs me. It implies that via a careful choice of
> > username or revprop name or something, Windows hooks can receive
> > arguments that are shifted one or more spaces.
> >
> > We should figure out if this causes any serious security problems.
>
> Yes. Since the code in hooks is arbitrary, the question is really
> "Can we construct a hook in which arg shifting would cause a security
> problem?" To which the answer is clearly yes; whether that would be a
> plausible hook script or not I don't know.
>
> Should we instead just check for platform-specific dangerous
> characters before passing any arguments to hook scripts? That seems
> like the safest bet.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Nov 14 14:51:39 2007