Re: Content scanning during checkout/update
From: Ryan Schmidt <subversion-2011a_at_ryandesign.com>
Date: Tue, 19 Jul 2011 12:02:59 -0500
On Jul 19, 2011, at 07:06, Toplak Daniel wrote:
> I want to implement a server side scanning for malicious content in both ways: when commits arrive and when checkouts updates are send to the client.
Right, that's more difficult since Subversion doesn't have a pre- or post-checkout or -update hook.
I wrote a script to help you fake it, if you're serving the repository using Apache:
This wouldn't prevent someone from checking out or updating, but would give you a chance to run a script on the server when they do. If the script finds something it needs to alert the user about, it could do so using external means, like by sending them an email or an instant message.
But why is it that you want to scan not only at commit time but also at checkout/update time? If you scan files for malicious content at commit, isn't that enough? Once you've verified the commit is clean, it'll stay clean; revisions can't be modified later. Or are you worried that someone commits some new malware that's not yet identified by your scanning software, and you want to scan it again later with updated versions of the scanning software?
This is an archived mail posted to the Subversion Users mailing list.