[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_dav_svn not XML-escaping hook error messages

From: Julian Foad <julianfoad_at_btopenworld.com>
Date: Mon, 14 Dec 2009 14:01:08 +0000

Jon Foster wrote:
> I'd like to report a problem with mod_dav_svn and repository
> hooks. I had a bug in my post-revprop-change script, but all I
> saw was:
>
> > $ svn propedit --revprop -r 19 svn:log
> > svn: DAV request failed; it's possible that the repository's
> > pre-revprop-change hook either failed or is non-existent
> > svn: At least one property change failed; repository is unchanged
> > svn: XML data was not well-formed
>
> It seems that mod_dav_svn doesn't escape special XML characters like
> "<" and ">" in the error messages from hook scripts. This causes
> corrupt XML to be sent across the wire. Here's a Wireshark capture
> of the response to the PROPPATCH:
[...]
> <D:responsedescription>
> post-revprop-change hook failed (exit code 1) with output:
> Traceback (most recent call last):
> File "/srv/svn/kenny/hooks/post_revprop_change.py", line 9, in
> <module>
> from some_module import some_function
> ImportError: cannot import name some_function
> </D:responsedescription>
[...]
> --- END WIRESHARK CAPTURE ---
>
> The "<module>" part is invalid XML; but shouldn't mod_dav or
> mod_dav_svn be escaping this?
>
> This seems to have been reported previously (with the "&"
> character not being escaped):
>
> http://svn.haxx.se/users/archive-2007-05/0016.shtml
>
> But I can't see it in the bug tracker.
>
> I'm using Subversion 1.6.6 compiled from source, and the Apache
> package provided by Debian.

It looks like the problem has been there for years. I think this patch
should fix it. Do you feel like writing a regression test?

[[[
In mod_dav_svn, make error output from the post-commit hook XML-safe, to fix
the "invalid XML" error that occurred if a post-commit error message
contained "&" or "<" characters.

* subversion/mod_dav_svn/merge.c
  (dav_svn__merge_response): XML-quote the error string.
--This line, and those below, will be ignored--

Index: subversion/mod_dav_svn/merge.c
===================================================================
--- subversion/mod_dav_svn/merge.c (revision 889737)
+++ subversion/mod_dav_svn/merge.c (working copy)
@@ -252,7 +252,9 @@ dav_svn__merge_response(ap_filter_t *out
       post_commit_err_elem = apr_psprintf(pool,
                                           "<S:post-commit-err>%s"
                                           "</S:post-commit-err>",
- post_commit_err);
+ apr_xml_quote_string(pool,
+ post_commit_err,
+ 0));
     }
   else
     {
]]]

- Julian
Received on 2009-12-14 15:01:47 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.