On 12.12.2018 21:12, Branko Čibej wrote:
> On 12.12.2018 19:07, Stefan Kueng wrote:
>>
>>
>> On 12.12.2018 13:55, TortoiseSVN-dev on behalf of Julian Foad wrote:
>>>>> Subversion encountered a serious problem.
>>>>> Please take the time to report this on the Subversion mailing list
>>> […]
>>>>> https://subversion.apache.org/mailing-lists.html
>>>
>>>> It is likely that this is a problem specific to TortoiseSVN, and not
>>>> to core SVN. TortoiseSVN has its own mailinglists, so you should
>>>> report your problem there:
>>> (Cross-posting.)
>>
>> Since this happens in the project monitor, my best guess is that the
>> path/url the user entered to be monitored is not correct.
>>
>>>
>>> It makes me sad every time I see this pattern. Software is often
>>> frustrating to use, but should at least aim to be polite to its
>>> users. Telling the user "Please do X" and then when the user does X
>>> saying "No, it's no good doing X; do Y" is not polite, and I would
>>> not expect anyone but the most calm, patient and helpful of users to
>>> gracefully comply with such a request.
>>>
>>> I'm not meaning to criticise Johan but rather our whole system.
>>>
>>> Can we please fix this problem. Both:
>>> 1) Tsvn please change the message.
>>
>> Sorry, won't do that. Because I've argued multiple times over the
>> years here that calling exit() or even abort() in a library is the
>> worst idea ever. Especially if this can happen by having the user
>> enter a wrong path/url.
>
>
> It's not the user entering the wrong path or URL. It's the code that
> uses the Subversion libraries — in this case TSVN — not validating and
> de-tainting its input. Yes, this has been going on for years due to your
And as I repeatedly said: TSVN does validate the input as good as it
can. But if svn does neither describe the *exact* specs in the docs nor
provide any APIs that do that, then TSVN has to guess.
And no: specifying that paths/uris have to be "canonicalized" is not
enough because I do that, using the svn APIs.
So apparently that's not enough.
> obstinately refusing to conform to our API specs. In the meantime,
> *your* users are left hanging.
I do conform to the specs.
> The rules are clear and consistent: pointers may not be NULL unless
> specifically allowed, paths must be absolute and canonical, URLs must be
> canonical, all strings must be encoded in UTF-8. We provide a wide range
> of helper functions that make it easy for API consumers to encode the
> parameters.
That's what I do.
>> Sorry if this message seems rude - but I'm tired of arguing the same
>> over and over again.
>
>
> You don't say.
I'll leave your sarcasm and won't respond to this thread anymore.
Stefan
Received on 2018-12-12 21:17:01 CET