Re: [PATCH] hooks-scripts: fix svn2feed.py on Windows

From: Peter Samuelson <peter_at_p12n.org>
Date: Sat, 28 Jun 2008 15:51:41 -0500

[Peter Samuelson]
> I suggest doing something along the lines of
>
> cmd = '"%s" info -r%s "%s"' % svnlook_cmd, revision, self.repos_path

Forgot to mention - this has a security hole if users are allowed to
create their own repositories which will then be served via svnserve or
mod_dav_svn. Not a problem on Windows, perhaps, if " is not a legal
character in a filename, but on Unix it is, so I could run arbitrary
code as the svnserve or apache user by creating a repository called

/var/lib/svn/repos/"; do whatever I want

Much better to pass a list to popen3. I wonder why they don't bother
to support (emulate) that on Windows.

-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/

application/pgp-signature attachment: Digital signature

Received on 2008-06-28 22:51:55 CEST

This message: [ Message body ]
Next message: Peter Samuelson: "Re: [PATCH] hooks-scripts: fix svn2feed.py on Windows"
Previous message: Peter Samuelson: "Re: [PATCH] hooks-scripts: fix svn2feed.py on Windows"
In reply to: Peter Samuelson: "Re: [PATCH] hooks-scripts: fix svn2feed.py on Windows"
Next in thread: Peter Samuelson: "Re: [PATCH] hooks-scripts: fix svn2feed.py on Windows"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]