subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Ruhe <julian.r...@gmail.com>
Subject Security issue: $PATH _is_ set in pre-lock hook (Subversion 1.7)
Date Thu, 24 Jul 2014 14:16:31 GMT
All of the sudden, starting somewhere prior to 1.7.13, the $PATH variable
is set, although the svnbook states
"For security reasons, the Subversion repository executes hook programs
with an empty environment—that is, no environment variables are set at all,
not even $PATH (or %PATH%, under Windows)."

env 1>&2
svn --version 1>&2
echo $PATH 1>&2
exit 1

==================================

svn: E165001: Lock blocked by pre-lock hook (exit code 1) with output:
LANG=en_US.utf-8
PWD=/
LC_ALL=en_US.utf-8

svn, version 1.7.17 (r1591372)
   compiled Jun 17 2014, 14:13:29

Copyright (C) 2014 The Apache Software Foundation.
This software consists of contributions made by many people; see the NOTICE
file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin


=====

Testet with 1.7.17 debian/compiled, 1.7.13 RHEL 6,4 CollabNet

Greetings,
J.Ruhe

Mime
View raw message