[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can client-side hooks run a script not in working copy?

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Mon, 05 Aug 2013 21:51:18 +0200

On 05.08.2013 19:54, Ben Fritz wrote:
> On Mon, Aug 5, 2013 at 12:22 PM, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
>> On 05.08.2013 18:15, Ben Fritz wrote:
>>> Can I specify a repository path to a file NOT in the working copy, and
>>> have it run as a hook script? Or do I need to stick it on a common
>>> network share or something like that?
>> Sorry, no. That would be a big security issue since then TSVN would
>> actually execute potentially dangerous and/or malicious code.
>> At least by only executing script that are in the repository and the
>> working copy we can assume that you need at least commit access to the
>> repo to have something execute.
> Sure...but the commit access argument also applies to files in the
> repository but not the current working copy. E.g. if I have:
> /repo/trunk/file1
> /repo/trunk/hook1.bat
> /repo/tools/clienthooks/hook2.bat
> Then why is running hook1 any more secure than running hook2?

It's not, but to execute a file it must be present locally. So you must
have it in your working copy.

> For that matter, I see from
> http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-dug-settings.html
> that I can't use UNC paths, but I guess anything on the C: drive or
> any mapped network drives would be fair game; that's not too secure
> either. Anyway, http://tortoisesvn.net/tsvn_1.8_releasenotes.html says
> TSVN will ask the user first before running.

Actually, executing anything on an UNC path most likely won't work
because of the Windows security settings. You can try running e.g. a
jscript file from there and you'll get a security warning dialog. But if
you run it from a command line or try to do it without an UI, then you
won't get such a warning dialog but instead it simply fails.
That's what's meant in the docs.

> As a workaround assume I can do:
> :: Wrapper bat file
> @echo off
> svn cat http://example.com/repo/tools/clienthooks/hook2.bat > hook_script.bat
> call hook_script.bat
> del hook_script.bat
> :: end wrapper bat file
> But this just seems silly.

And where would you put that wrapper bat file? If it's not inside the
working copy, the hook won't execute it.


   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest interface to (Sub)version control
    /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2013-08-05 21:51:26 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.