[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SV: Re: SV: Re: SV: Re: Integration with Bugtracking Systems / Issue trackers

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2006-08-25 10:35:42 CEST

Hans-Emil Skogh wrote:

>> So this is now my proposal:
>> Introduce three properties:
>> Property: tsvn:linkedapp:x
>> where x is 1, 2, 3; this allowing for multiple buttons to be
>> added through this feature
>> Value:
>> first line: path and filename to an executable file
>> second line, optional: button caption

The second line must not be optional. A button caption is mandatory -
otherwise we'd have to name the button '1', '2' or '3' :)

> Ok. Suppose an open source project decides to use this feature.
> I join the project, upload some malicious executable to the repository*
> and changes the tsvn:linkedapp:x-property to point to the evil exe.
>
> * This is a voluntary step as there probably are naughty enough exes on
> most machines waiting to be exploited.

Very nasty. But of course you're right. There are plenty of evil people
in this world to be concerned.

>> It should be possible for this to be either an executable
>> binary (file://) or some web page (http://).
>> To make this really work the first line of the property
>> value must allow for some escape characters to be used.
>> %BUGID%
>> %USERNAME%
>> %PASSWORD%
>> %REPOS% (the repository URL)

Where do you want to get the username and password from? Yes, Subversion
stores them if you ask it to, but there's no way to find the right one
without contacting the repository first - and that's something I won't
allow in the commit dialog.

> Whoo! Or almost better! I'll just change the property to send your
> username and password to a webpage under my control where I log them and
> redirect you to the original page.

Nice :)

We could allow only local executables, residing inside the working copy.
And urls only from the same domain (the difficult part will be to
compare urls and find out if they're from the same domain).
But then, most people have their repositories on a different server than
e.g. the bug tracking system.

> You submit a patch here on the list, Stefan will have a look at it, and
> if it's any good it will be accepted and added. Simple as that.

I think I'm not the only one reviewing patches :)

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Fri Aug 25 10:35:57 2006

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.