shelve-cmd.c and shelf-cmd.c contain these pieces of code:
120 if (diffstat)
121 {
122 #ifndef WIN32
123 int result = system(apr_psprintf(scratch_pool,
124 "diffstat -p0 %s 2> /dev/null",
125 info->patch_path));
126 if (result == 0)
127 SVN_ERR(svn_cmdline_printf(scratch_pool,
128 "\n"));
129 #endif
130 }
74 /* Print some details of the changes in the patch described by INFO.
75 */
76 static svn_error_t *
77 show_diffstat(svn_client_shelf_version_t *shelf_version,
78 apr_pool_t *scratch_pool)
79 {
80 #ifndef WIN32
81 const char *patch_abspath;
82 int result;
83
84 SVN_ERR(svn_client_shelf_get_patch_abspath(&patch_abspath, shelf_version,
85 scratch_pool));
86 result = system(apr_psprintf(scratch_pool,
87 "diffstat -p0 '%s' 2> /dev/null",
88 patch_abspath));
89 if (result == 0)
90 SVN_ERR(svn_cmdline_printf(scratch_pool, "\n"));
91 #endif
92 return SVN_NO_ERROR;
93 }
Neither of these calls correctly quotes the path that's interpolated
into the command line. Consequently, the wcroot_abspath would be
executed as shell commands. Could that be fixed please?
Cheers,
Daniel
Received on 2018-02-09 18:22:15 CET