[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion Exception!

From: Stefan Kueng <tortoisesvn_at_gmail.com>
Date: Wed, 12 Dec 2018 21:16:48 +0100

On 12.12.2018 21:12, Branko Čibej wrote:
> On 12.12.2018 19:07, Stefan Kueng wrote:
>>
>>
>> On 12.12.2018 13:55, TortoiseSVN-dev on behalf of Julian Foad wrote:
>>>>> Subversion encountered a serious problem.
>>>>> Please take the time to report this on the Subversion mailing list
>>> […]
>>>>> https://subversion.apache.org/mailing-lists.html
>>>
>>>> It is likely that this is a problem specific to TortoiseSVN, and not
>>>> to core SVN. TortoiseSVN has its own mailinglists, so you should
>>>> report your problem there:
>>> (Cross-posting.)
>>
>> Since this happens in the project monitor, my best guess is that the
>> path/url the user entered to be monitored is not correct.
>>
>>>
>>> It makes me sad every time I see this pattern. Software is often
>>> frustrating to use, but should at least aim to be polite to its
>>> users. Telling the user "Please do X" and then when the user does X
>>> saying "No, it's no good doing X; do Y" is not polite, and I would
>>> not expect anyone but the most calm, patient and helpful of users to
>>> gracefully comply with such a request.
>>>
>>> I'm not meaning to criticise Johan but rather our whole system.
>>>
>>> Can we please fix this problem. Both:
>>> 1) Tsvn please change the message.
>>
>> Sorry, won't do that. Because I've argued multiple times over the
>> years here that calling exit() or even abort() in a library is the
>> worst idea ever. Especially if this can happen by having the user
>> enter a wrong path/url.
>
>
> It's not the user entering the wrong path or URL. It's the code that
> uses the Subversion libraries — in this case TSVN — not validating and
> de-tainting its input. Yes, this has been going on for years due to your

And as I repeatedly said: TSVN does validate the input as good as it
can. But if svn does neither describe the *exact* specs in the docs nor
provide any APIs that do that, then TSVN has to guess.
And no: specifying that paths/uris have to be "canonicalized" is not
enough because I do that, using the svn APIs.
So apparently that's not enough.

> obstinately refusing to conform to our API specs. In the meantime,
> *your* users are left hanging.

I do conform to the specs.

> The rules are clear and consistent: pointers may not be NULL unless
> specifically allowed, paths must be absolute and canonical, URLs must be
> canonical, all strings must be encoded in UTF-8. We provide a wide range
> of helper functions that make it easy for API consumers to encode the
> parameters.

That's what I do.

>> Sorry if this message seems rude - but I'm tired of arguing the same
>> over and over again.
>
>
> You don't say.

I'll leave your sarcasm and won't respond to this thread anymore.

Stefan
Received on 2018-12-12 21:17:01 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.