[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1429235 - in /subversion/trunk/tools/hook-scripts: validate-files.conf.example validate-files.py

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sat, 5 Jan 2013 21:17:59 +0200

Wow. I'm probably going to use that on svn.a.o. However..

breser_at_apache.org wrote on Sat, Jan 05, 2013 at 08:36:14 -0000:
> +# The command option is the command to run, this command will be run via
> +# the shell of your platform. Your command will have variable replacement
> +# made on it prior to execution as follows:
> +# $REPO or ${REPO} expands to the path of the repository for the commit.
> +# $TXN or ${TXN} expands to the transaction id of the commit.
> +# $FILE or ${FILE} expands to the name of the file that matched the pattern.
> +#
> +# $ characters that are not followed by one of the above variable names will
> +# be untouched.
> +#
> +# IMPORTANT: AS A CONSEQUENCE OF THE USE OF THE SHELL IT IS IMPORTANT TO
> +# QUOTE THE ARGUMENTS OF YOUR COMMANDS. THE $FILE VARIABLE DOES CONTAIN
> +# USER GENERATED DATA AND SHELL METACHARACTERS ARE NOT ESCAPED FOR YOU!
> +
> +# The following rule runs the svnauthz command's validate subcommand
> +# for file named authz in the conf subdir if it is present in the commit.
> +# This is a simple way to ensure that invalid authz files are not allowed
> +# to be committed.
> +#[rule:svnauthz-validate]
> +#pattern = conf/authz
> +#command = '%(svnauthz)s' validate -t '$TXN' '$REPO' '$FILE'

This quoting is insufficient, it's still prone to SQL injections. Since
this is a problem every user of this script would have to solve, how
about having the script ensure that $FILE doesn't contain "'"?

Perhaps make this configurable via a "upon-single-quote = {continue|raise}"
knob in the config file.
Received on 2013-01-05 20:18:35 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.