Re: Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Fri, 25 Jul 2014 09:44:16 +0100

Julian Ruhe <julian.ruhe_at_gmail.com> writes:

> All of the sudden, starting somewhere prior to 1.7.13, the $PATH variable
> is set, although the svnbook states
> "For security reasons, the Subversion repository executes hook programs
> with an empty environment—that is, no environment variables are set at all,
> not even $PATH (or %PATH%, under Windows)."
>
> env 1>&2
> svn --version 1>&2
> echo $PATH 1>&2
> exit 1

That will be because your hook is a shell script and the shell invokes a
.profile or .login that sets variables. To see the empty environment
use a hook that doesn't set any variables, say:

  #include <stdio.h>
  #include <stdlib.h>
  int main(int argc, char *argv[])
  {
     const char *path = getenv("PATH");
     fprintf(stderr, "%s\n", path ? path : "no PATH");
     return 1;
  }

-- 
Philip Martin | Subversion Committer
WANdisco // *Non-Stop Data*

Received on 2014-07-25 10:44:50 CEST

This message: [ Message body ]
Next message: Branko Čibej: "Re: http-request PUT"
Previous message: merch store: "Re: http-request PUT"
In reply to: Julian Ruhe: "Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]