You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@whimsical.apache.org by Craig Russell <cr...@oracle.com> on 2016/03/28 16:51:40 UTC

Incorrect space escape for staple

secretary assistant staple function
Staple

convert 'schultz/Apache Membership Application.jpg' 'schultz/Apache_Membership Application.pdf'
mv schultz/Apache_Membership Application.pdf schultz.pdf
mv: target ‘schultz.pdf’ is not a directory
svn add schultz.pdf
svn: warning: W155010: '/srv/secretary/workbench/documents/received/schultz.pdf' not found
svn: E200009: Could not add all targets because some targets don't exist
svn: E200009: Illegal target for the requested operation
svn propset svn:mime-type application/pdf schultz.pdf
'schultz.pdf' is not under version control
svn: E155010: The node '/srv/secretary/workbench/documents/received/schultz.pdf' was not found.
svn rm --force schultz/Apache Membership Application.jpg
svn: E125001: '/srv/secretary/workbench/documents/received/schultz/Apache' does not exist

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org http://db.apache.org/jdo

Re: Incorrect space escape for staple

Posted by Sam Ruby <ru...@intertwingly.net>.

On Mon, Mar 28, 2016 at 10:51 AM, Craig Russell
<cr...@oracle.com> wrote:
> secretary assistant staple function
> Staple
>
> convert 'schultz/Apache Membership Application.jpg' 'schultz/Apache_Membership Application.pdf'
> mv schultz/Apache_Membership Application.pdf schultz.pdf
> mv: target ‘schultz.pdf’ is not a directory
> svn add schultz.pdf
> svn: warning: W155010: '/srv/secretary/workbench/documents/received/schultz.pdf' not found
> svn: E200009: Could not add all targets because some targets don't exist
> svn: E200009: Illegal target for the requested operation
> svn propset svn:mime-type application/pdf schultz.pdf
> 'schultz.pdf' is not under version control
> svn: E155010: The node '/srv/secretary/workbench/documents/received/schultz.pdf' was not found.
> svn rm --force schultz/Apache Membership Application.jpg
> svn: E125001: '/srv/secretary/workbench/documents/received/schultz/Apache' does not exist

This code can be found here:

https://github.com/apache/whimsy/blob/master/www/secretary/workbench/file.cgi

Here is the code that will be replacing it:

https://github.com/apache/whimsy/blob/master/www/secmail/views/actions/drop.json.rb

Note that this code uses Kernel.system with a list of distinct
parameters rather than depending on shell parsing. The new code also
requires all input received from outside sources to be explicitly
untainted, and that should only be done if the source is trusted
(e.g., __dir__ returns a tainted value, but it safe for our purposes),
or has been validated (generally with a regular expression).

Also note that this is a small, well contained script; taking as input
@source, @target, and @message, and returning a single result. As
opposed to file.cgi which does pretty much everything, and the flow of
data... well lets just say that it isn't quite so clear.

It is my hope to return to the task of completing the new secmail
application once all of the membership applications have been received
and processed.

> Craig L Russell
> Secretary, Apache Software Foundation
> clr@apache.org http://db.apache.org/jdo

- Sam Ruby