[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: start-commit.bat

From: masaru tsuchiyama <m.tmatma_at_gmail.com>
Date: 2007-11-14 14:30:43 CET

Hi Karl

Thank you for the commit.

I found two comment errors.
See the attached patch.

Regards.
Masaru.

2007/11/13, Karl Fogel <kfogel@red-bean.com>:
> "David Glasser" <glasser@davidglasser.net> writes:
> >> A comma works fine if the whole list is double-quoted, and we should
> >> probably be quoting all parameters anyway to handle spaces in paths,
> >> etc. if APR isn't already.
> >
> > This behavior disturbs me. It implies that via a careful choice of
> > username or revprop name or something, Windows hooks can receive
> > arguments that are shifted one or more spaces.
> >
> > We should figure out if this causes any serious security problems.
>
> Yes. Since the code in hooks is arbitrary, the question is really
> "Can we construct a hook in which arg shifting would cause a security
> problem?" To which the answer is clearly yes; whether that would be a
> plausible hook script or not I don't know.
>
> Should we instead just check for platform-specific dangerous
> characters before passing any arguments to hook scripts? That seems
> like the safest bet.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Wed Nov 14 14:51:39 2007

This is an archived mail posted to the Subversion Dev mailing list.