You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by km...@rockwellcollins.com on 2009/04/02 22:18:25 UTC

Lock message not xml escaped

After posting on users, I have now verified that lock messages
are not correctly xml escaped over neon in both svn 1.5 and 1.6.


svn lock http://server/repo/path/to/file.txt -m"Lock & load" 

fails with error: 

svn: Server sent unexpected return value (400 Bad Request) in response to 
LOCK request for '/repo/path/to/file.txt' 

Looking at the xml sent from the client to the server it is obviously not 
escaped:

<?xml version="1.0" encoding="utf-8" ?><D:lockinfo xmlns:D="DAV:"> 
<D:lockscope><D:exclusive /></D:lockscope> <D:locktype><D:write 
/></D:locktype> <D:owner>Lock & load</D:owner></D:lockinfo>

"&" should be replaced with "&amp;"

Line 411 of libsvn_client/locking_commands.c is checking to make
sure the comment doesn't contain non-xml escapable characters, but
isn't escaping the string.  I'm not sure if it should (since not
all ra layers will probably need the comment xml escaped.)

Is the proper place to xml escape this around line 274
of libsvn_ra_neon/lock.c?  (And possibly somewhere in the other
ra layers?)

(This seems like a trivial fix, so I'm not offended if someone
 else beats me to a patch...)

Thanks!
Kevin R.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1525355

Re: Lock message not xml escaped

Posted by "C. Michael Pilato" <cm...@collab.net>.

Daniel Shahaf wrote:
> kmradke@rockwellcollins.com wrote on Thu, 2 Apr 2009 at 17:18 -0500:
>> After posting on users, I have now verified that lock messages
>> are not correctly xml escaped over neon in both svn 1.5 and 1.6.
>>
>>
>> svn lock http://server/repo/path/to/file.txt -m"Lock & load" 
>>
>> fails with error: 
>>
>> svn: Server sent unexpected return value (400 Bad Request) in response to 
>> LOCK request for '/repo/path/to/file.txt' 
>>
>> Looking at the xml sent from the client to the server it is obviously not 
>> escaped:
>>
>> <?xml version="1.0" encoding="utf-8" ?><D:lockinfo xmlns:D="DAV:"> 
>> <D:lockscope><D:exclusive /></D:lockscope> <D:locktype><D:write 
>> /></D:locktype> <D:owner>Lock & load</D:owner></D:lockinfo>
>>
>> "&" should be replaced with "&amp;"
>>
>> Line 411 of libsvn_client/locking_commands.c is checking to make
>> sure the comment doesn't contain non-xml escapable characters, but
>> isn't escaping the string.
> 
> FWIW, same in svn_ra_lock() in ra_loader.c.
> 
>> I'm not sure if it should (since not all ra layers will probably need
>> the comment xml escaped.)
>>
>> Is the proper place to xml escape this around line 274
>> of libsvn_ra_neon/lock.c?  (And possibly somewhere in the other
>> ra layers?)
>>
> 
> Agreed.  +1 to fixing it in libsvn_ra_neon/lock.c (in
> svn_ra_neon__lock() or one of its helpers).
> 
>> (This seems like a trivial fix, so I'm not offended if someone
>>  else beats me to a patch...)
>>
> 
> Agreed...

Fixed this (with an accompanying regression test) in r38101 and r38102.

-- 
C. Michael Pilato <cm...@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2363625

Re: Lock message not xml escaped

Posted by Daniel Shahaf <d....@daniel.shahaf.name>.

kmradke@rockwellcollins.com wrote on Thu, 2 Apr 2009 at 17:18 -0500:
> After posting on users, I have now verified that lock messages
> are not correctly xml escaped over neon in both svn 1.5 and 1.6.
> 
> 
> svn lock http://server/repo/path/to/file.txt -m"Lock & load" 
> 
> fails with error: 
> 
> svn: Server sent unexpected return value (400 Bad Request) in response to 
> LOCK request for '/repo/path/to/file.txt' 
> 
> Looking at the xml sent from the client to the server it is obviously not 
> escaped:
> 
> <?xml version="1.0" encoding="utf-8" ?><D:lockinfo xmlns:D="DAV:"> 
> <D:lockscope><D:exclusive /></D:lockscope> <D:locktype><D:write 
> /></D:locktype> <D:owner>Lock & load</D:owner></D:lockinfo>
> 
> "&" should be replaced with "&amp;"
> 
> Line 411 of libsvn_client/locking_commands.c is checking to make
> sure the comment doesn't contain non-xml escapable characters, but
> isn't escaping the string.

FWIW, same in svn_ra_lock() in ra_loader.c.

> I'm not sure if it should (since not all ra layers will probably need
> the comment xml escaped.)
> 
> Is the proper place to xml escape this around line 274
> of libsvn_ra_neon/lock.c?  (And possibly somewhere in the other
> ra layers?)
> 

Agreed.  +1 to fixing it in libsvn_ra_neon/lock.c (in
svn_ra_neon__lock() or one of its helpers).

> (This seems like a trivial fix, so I'm not offended if someone
>  else beats me to a patch...)
> 

Agreed...

Daniel

> Thanks!
> Kevin R.
> 
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1525355
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1560403