Uploaded image for project: 'Continuum'
  1. Continuum
  2. CONTINUUM-2577

Subversion login and password are not properly escaped in svn shell invocation from release prepare

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Environment:
      Linux

      Description

      When preparing a release, if the user mistypes their
      subversion password and adds a backslash at the end, then the release
      prepare phase gets stuck in the "update-working-copy" (the first) step.
      This is because the svn command issued by continuum is:

      svn --username xxxxx --password abcdef\ --non-interactive ...

      which means that the space between the password and the space before the
      --non-interactive option is escaped, which in turn means that this
      option is not seen at all, and since the password is incorrect, it goes
      ahead and tries to prompt the user for their correct password in the
      command line, so the process hangs (found that by running a:
      ps -edf | grep svn
      on the server).

      The username and password should be shell-escaped to avoid this. (Imagine
      the disaster if the user enters a password ";my-malicious-command" )

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              odehon Olivier Dehon
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: