You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by br...@apache.org on 2013/05/26 22:24:12 UTC

svn commit: r1486466 - /subversion/trunk/tools/server-side/svnpubsub/commit-hook.py

Author: brane
Date: Sun May 26 20:24:11 2013
New Revision: 1486466

URL: http://svn.apache.org/r1486466
Log:
* tools/server-side/svnpubsub/commit-hook.py (svncmd):
   Do not pass command through the shell to avoid shell command injection.

Modified:
    subversion/trunk/tools/server-side/svnpubsub/commit-hook.py

Modified: subversion/trunk/tools/server-side/svnpubsub/commit-hook.py
URL: http://svn.apache.org/viewvc/subversion/trunk/tools/server-side/svnpubsub/commit-hook.py?rev=1486466&r1=1486465&r2=1486466&view=diff
==============================================================================
--- subversion/trunk/tools/server-side/svnpubsub/commit-hook.py (original)
+++ subversion/trunk/tools/server-side/svnpubsub/commit-hook.py Sun May 26 20:24:11 2013
@@ -32,7 +32,7 @@ except ImportError:
 import urllib2
 
 def svncmd(cmd):
-    return subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
+    return subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE)
 
 def svncmd_uuid(repo):
     cmd = "%s uuid %s" % (SVNLOOK, repo)