[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Fri, 25 Jul 2014 09:44:16 +0100

Julian Ruhe <julian.ruhe_at_gmail.com> writes:

> All of the sudden, starting somewhere prior to 1.7.13, the $PATH variable
> is set, although the svnbook states
> "For security reasons, the Subversion repository executes hook programs
> with an empty environment—that is, no environment variables are set at all,
> not even $PATH (or %PATH%, under Windows)."
>
> env 1>&2
> svn --version 1>&2
> echo $PATH 1>&2
> exit 1

That will be because your hook is a shell script and the shell invokes a
.profile or .login that sets variables. To see the empty environment
use a hook that doesn't set any variables, say:

  #include <stdio.h>
  #include <stdlib.h>
  int main(int argc, char *argv[])
  {
     const char *path = getenv("PATH");
     fprintf(stderr, "%s\n", path ? path : "no PATH");
     return 1;
  }

-- 
Philip Martin | Subversion Committer
WANdisco // *Non-Stop Data*
Received on 2014-07-25 10:44:50 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.