subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: [Patch] Fix for Issue 3046: document security requirement for hook script arguments
Date Fri, 20 Jun 2014 12:00:21 GMT
Markus Schaber wrote on Fri, Jun 20, 2014 at 07:53:09 +0000:
> Hi,
> 
> See attached the third iteration of the patch.
> 
> I did add coverage for the problems of arguments containing whitespace and dashes, and
did drop the example I got from the issue tracker, as it is questionable whether that specific
example really is a problem.
> 
> 
> [[[
> Fix issue 3046 by adding a statement about quoting of parameters and delimiting argument
lists. Also add a hint about peg revisions, while we are at it.
> 
> * subversion/libsvn_repos/repos.c
>   (create_hooks): Add a hint about quoting of parameters and url
>     handling to the hook templates.
> ]]]
> 
> +#define HOOKS_QUOTE_ARGUMENTS_TEXT                                            \
> +  "# CAUTION:"                                                             NL \
> +  "# For security reasons, you MUST always properly quote arguments when"  NL \
> +  "# you use them, as those arguments could contain whitespace or other"   NL \
> +  "# problematic characters. Additionally, you should delimit the list"    NL \
> +  "# of options with \"--\" before passing the arguments, so malicious"    NL \
> +  "# clients cannot bootleg unexpected options to the commands your"       NL \
> +  "# script aims to execute."                                              NL \
> +  "# For similar reasons, you should also add a trailing @ to URLs which"  NL \
> +  "# are passed to SVN commands accepting URLs with peg revisions."        NL

+1, thanks!

Mime
View raw message