Index: subversion/libsvn_repos/repos.c =================================================================== --- subversion/libsvn_repos/repos.c (revision 1603773) +++ subversion/libsvn_repos/repos.c (working copy) @@ -280,6 +280,13 @@ "# http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ and" NL \ "# http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/" NL +#define HOOKS_QUOTE_ARGUMENTS_TEXT \ + "# CAUTION:" NL \ + "# For security reasions, you MUST always properly qoute arguments when" NL \ + "# you use them. For example, a malicious client could try to set a" NL \ + "# revision property named \"foo; rm -rf /;\"." NL \ + "# For similar reasons, you should also add a trailing @ to URLs which" NL \ + "# are passed to SVN commands which accept URLs with peg revisions." NL static svn_error_t * create_hooks(svn_repos_t *repos, apr_pool_t *pool) @@ -354,6 +361,8 @@ "# " NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -439,6 +448,8 @@ "#" NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -522,6 +533,8 @@ "#" NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -594,6 +607,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "#" NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -681,6 +696,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "#" NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -767,6 +784,8 @@ "# " NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -830,6 +849,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -888,6 +909,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -951,6 +974,8 @@ "# " NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL