[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Patch] Fix for Issue 3046: document security requirement for hook script arguments

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Fri, 20 Jun 2014 12:00:21 +0000

Markus Schaber wrote on Fri, Jun 20, 2014 at 07:53:09 +0000:
> Hi,
>
> See attached the third iteration of the patch.
>
> I did add coverage for the problems of arguments containing whitespace and dashes, and did drop the example I got from the issue tracker, as it is questionable whether that specific example really is a problem.
>
>
> [[[
> Fix issue 3046 by adding a statement about quoting of parameters and delimiting argument lists. Also add a hint about peg revisions, while we are at it.
>
> * subversion/libsvn_repos/repos.c
> (create_hooks): Add a hint about quoting of parameters and url
> handling to the hook templates.
> ]]]
>
> +#define HOOKS_QUOTE_ARGUMENTS_TEXT \
> + "# CAUTION:" NL \
> + "# For security reasons, you MUST always properly quote arguments when" NL \
> + "# you use them, as those arguments could contain whitespace or other" NL \
> + "# problematic characters. Additionally, you should delimit the list" NL \
> + "# of options with \"--\" before passing the arguments, so malicious" NL \
> + "# clients cannot bootleg unexpected options to the commands your" NL \
> + "# script aims to execute." NL \
> + "# For similar reasons, you should also add a trailing @ to URLs which" NL \
> + "# are passed to SVN commands accepting URLs with peg revisions." NL

+1, thanks!
Received on 2014-06-20 14:00:59 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.