[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Issue links in commit log

From: Simon Large <simon.tortoisesvn_at_gmail.com>
Date: Thu, 6 Feb 2014 01:06:09 +0000

On 5 February 2014 23:11, Cosmin Pirvu <cosmin.pirvu_at_asitrack.com> wrote:

> On 2/5/2014 23:13, Ben Fritz wrote:
> > On Wed, Feb 5, 2014 at 6:19 AM, Cosmin Pirvu <cosmin.pirvu_at_asitrack.com>
> wrote:
> >> Hi guys,
> >>
> >> I'm trying to integrate a custom issue tracker with tortoisesvn. My
> >> bugtraq:url looks something like this:
> >>
> >> file:///C:\Issues\tracker.exe%20%BUGID%
> >>
> > Let me rephrase your question:
> >
> > "Is there a property I can set in my SVN repository, that allows me to
> > run an arbitrary executable on a user's file system when they click on
> > the bug tracker link?"
> >
> > I really, really hope the answer to that question is "no".
> >
> > What if your bug tracker URL looked something like this?
> >
> > file:///C:\Windows\System32\cmd.exe%20-c%20format%20C:&REM%20%BUGID%
> >
> > Or this?
> >
> > file:///C:\Malware\email_credit_card_info.exe&REM%20%BUGID%
>
> It's not an arbitrary executable, it's an issue tracker. That's the
> whole point. Not all issue trackers are web apps.
>

We understand why you want this, but that's not what he's saying. The
property can be made to point to an arbitrary executable. You might want it
to point at your tracker, but whoever sets the property might have other
ideas. Or it could even be a typo.

Also, the bugtraq properties need to be set manually. You have to set
> that URL yourself, it cannot be done automatically. So your security
> concerns are unfounded.
>

Not at all. The bugtraq properties have to be set, but not by the person
whose PC they will be executed on. Anyone with commit access to the repo
can set that property. You might feel it is safe in your organisation if it
is a closed shop, but TortoiseSVN is used in many other places too, notably
a lot of open source projects with worldwide membership.

Anyway, it looks like tortoisesvn doesn't handle the "file://" protocol
> separately. So it basically supports only web apps.
>

Not quite true as Ron points out elsewhere. But it is up to you to
configure the URI handler locally which allows a file to be executed. That
way the security decision is made at the location where the code is
executed.

Simon

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3072593

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-02-06 02:06:23 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.