[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Lock message not xml escaped

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Fri, 19 Jun 2009 14:45:09 -0400

Daniel Shahaf wrote:
> kmradke_at_rockwellcollins.com wrote on Thu, 2 Apr 2009 at 17:18 -0500:
>> After posting on users, I have now verified that lock messages
>> are not correctly xml escaped over neon in both svn 1.5 and 1.6.
>>
>>
>> svn lock http://server/repo/path/to/file.txt -m"Lock & load"
>>
>> fails with error:
>>
>> svn: Server sent unexpected return value (400 Bad Request) in response to
>> LOCK request for '/repo/path/to/file.txt'
>>
>> Looking at the xml sent from the client to the server it is obviously not
>> escaped:
>>
>> <?xml version="1.0" encoding="utf-8" ?><D:lockinfo xmlns:D="DAV:">
>> <D:lockscope><D:exclusive /></D:lockscope> <D:locktype><D:write
>> /></D:locktype> <D:owner>Lock & load</D:owner></D:lockinfo>
>>
>> "&" should be replaced with "&amp;"
>>
>> Line 411 of libsvn_client/locking_commands.c is checking to make
>> sure the comment doesn't contain non-xml escapable characters, but
>> isn't escaping the string.
>
> FWIW, same in svn_ra_lock() in ra_loader.c.
>
>> I'm not sure if it should (since not all ra layers will probably need
>> the comment xml escaped.)
>>
>> Is the proper place to xml escape this around line 274
>> of libsvn_ra_neon/lock.c? (And possibly somewhere in the other
>> ra layers?)
>>
>
> Agreed. +1 to fixing it in libsvn_ra_neon/lock.c (in
> svn_ra_neon__lock() or one of its helpers).
>
>> (This seems like a trivial fix, so I'm not offended if someone
>> else beats me to a patch...)
>>
>
> Agreed...

Fixed this (with an accompanying regression test) in r38101 and r38102.

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2363625

Received on 2009-06-19 20:45:33 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.