Markus Schaber wrote on Fri, Jun 20, 2014 at 07:53:09 +0000:
> Hi,
>
> See attached the third iteration of the patch.
>
> I did add coverage for the problems of arguments containing whitespace and dashes, and did drop the example I got from the issue tracker, as it is questionable whether that specific example really is a problem.
>
>
> [[[
> Fix issue 3046 by adding a statement about quoting of parameters and delimiting argument lists. Also add a hint about peg revisions, while we are at it.
>
> * subversion/libsvn_repos/repos.c
> (create_hooks): Add a hint about quoting of parameters and url
> handling to the hook templates.
> ]]]
>
> +#define HOOKS_QUOTE_ARGUMENTS_TEXT \
> + "# CAUTION:" NL \
> + "# For security reasons, you MUST always properly quote arguments when" NL \
> + "# you use them, as those arguments could contain whitespace or other" NL \
> + "# problematic characters. Additionally, you should delimit the list" NL \
> + "# of options with \"--\" before passing the arguments, so malicious" NL \
> + "# clients cannot bootleg unexpected options to the commands your" NL \
> + "# script aims to execute." NL \
> + "# For similar reasons, you should also add a trailing @ to URLs which" NL \
> + "# are passed to SVN commands accepting URLs with peg revisions." NL
+1, thanks!
Received on 2014-06-20 14:00:59 CEST