[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Lock message not xml escaped

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Mon, 6 Apr 2009 13:15:12 +0300 (Jerusalem Daylight Time)

kmradke_at_rockwellcollins.com wrote on Thu, 2 Apr 2009 at 17:18 -0500:
> After posting on users, I have now verified that lock messages
> are not correctly xml escaped over neon in both svn 1.5 and 1.6.
>
>
> svn lock http://server/repo/path/to/file.txt -m"Lock & load"
>
> fails with error:
>
> svn: Server sent unexpected return value (400 Bad Request) in response to
> LOCK request for '/repo/path/to/file.txt'
>
> Looking at the xml sent from the client to the server it is obviously not
> escaped:
>
> <?xml version="1.0" encoding="utf-8" ?><D:lockinfo xmlns:D="DAV:">
> <D:lockscope><D:exclusive /></D:lockscope> <D:locktype><D:write
> /></D:locktype> <D:owner>Lock & load</D:owner></D:lockinfo>
>
> "&" should be replaced with "&amp;"
>
> Line 411 of libsvn_client/locking_commands.c is checking to make
> sure the comment doesn't contain non-xml escapable characters, but
> isn't escaping the string.

FWIW, same in svn_ra_lock() in ra_loader.c.

> I'm not sure if it should (since not all ra layers will probably need
> the comment xml escaped.)
>
> Is the proper place to xml escape this around line 274
> of libsvn_ra_neon/lock.c? (And possibly somewhere in the other
> ra layers?)
>

Agreed. +1 to fixing it in libsvn_ra_neon/lock.c (in
svn_ra_neon__lock() or one of its helpers).

> (This seems like a trivial fix, so I'm not offended if someone
> else beats me to a patch...)
>

Agreed...

Daniel

> Thanks!
> Kevin R.
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1525355
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1560403
Received on 2009-04-06 12:15:26 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.