Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-3046

document security requirement for hook script arguments

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: trunk
    • Fix Version/s: 1.9.0
    • Component/s: libsvn_repos
    • Labels:

      Description

      Add explicit notes to the comments in the hook templates stating the fact that
      the argument values should always be "$QUOTED" in the hook script.
      
      This is especially important for the PROPNAME arguments to the revprop
      change scripts, which are essentially passed through blindly from the
      client.  (There is a *client-side* validity check, which is
      irrelevant, and a check that it isn't an svn:wc: or svn:entry: prop;
      and perhaps mod_dav_svn imposes other restrictions that I'm not
      familiar with, but at least with svnserve a custom RA-driving client
      could totally set the "foo; rm -rf /;" property.
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              glasser David Samuel Glasser
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: