You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by sc...@apache.org on 2014/06/20 14:10:19 UTC
svn commit: r1604153 - /subversion/trunk/subversion/libsvn_repos/repos.c
Author: schabi
Date: Fri Jun 20 12:10:18 2014
New Revision: 1604153
URL: http://svn.apache.org/r1604153
Log:
Fix issue 3046 by adding a statement about quoting of parameters and delimiting argument lists. Also add a hint about peg revisions, while we are at it.
* subversion/libsvn_repos/repos.c
(create_hooks): Add a hint about quoting of parameters and url
handling to the hook templates.
Approved by: danielsh
Modified:
subversion/trunk/subversion/libsvn_repos/repos.c
Modified: subversion/trunk/subversion/libsvn_repos/repos.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/repos.c?rev=1604153&r1=1604152&r2=1604153&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_repos/repos.c (original)
+++ subversion/trunk/subversion/libsvn_repos/repos.c Fri Jun 20 12:10:18 2014
@@ -280,6 +280,16 @@ create_locks(svn_repos_t *repos, apr_poo
"# http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ and" NL \
"# http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/" NL
+#define HOOKS_QUOTE_ARGUMENTS_TEXT \
+ "# CAUTION:" NL \
+ "# For security reasons, you MUST always properly quote arguments when" NL \
+ "# you use them, as those arguments could contain whitespace or other" NL \
+ "# problematic characters. Additionally, you should delimit the list" NL \
+ "# of options with \"--\" before passing the arguments, so malicious" NL \
+ "# clients cannot bootleg unexpected options to the commands your" NL \
+ "# script aims to execute." NL \
+ "# For similar reasons, you should also add a trailing @ to URLs which" NL \
+ "# are passed to SVN commands accepting URLs with peg revisions." NL
static svn_error_t *
create_hooks(svn_repos_t *repos, apr_pool_t *pool)
@@ -354,6 +364,8 @@ create_hooks(svn_repos_t *repos, apr_poo
"# " NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -439,6 +451,8 @@ PREWRITTEN_HOOKS_TEXT
"#" NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -522,6 +536,8 @@ PREWRITTEN_HOOKS_TEXT
"#" NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -594,6 +610,8 @@ PREWRITTEN_HOOKS_TEXT
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"#" NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -681,6 +699,8 @@ PREWRITTEN_HOOKS_TEXT
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"#" NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -767,6 +787,8 @@ PREWRITTEN_HOOKS_TEXT
"# " NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -830,6 +852,8 @@ PREWRITTEN_HOOKS_TEXT
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -888,6 +912,8 @@ PREWRITTEN_HOOKS_TEXT
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -951,6 +977,8 @@ PREWRITTEN_HOOKS_TEXT
"# " NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL