You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@continuum.apache.org by "Olivier Dehon (JIRA)" <ji...@codehaus.org> on 2010/10/26 14:09:05 UTC
[jira] Created: (CONTINUUM-2577) Subversion login and password are
not properly escaped in svn shell invocation from release prepare
Subversion login and password are not properly escaped in svn shell invocation from release prepare
---------------------------------------------------------------------------------------------------
Key: CONTINUUM-2577
URL: http://jira.codehaus.org/browse/CONTINUUM-2577
Project: Continuum
Issue Type: Bug
Environment: Linux
Reporter: Olivier Dehon
When preparing a release, if the user mistypes their
subversion password and adds a backslash at the end, then the release
prepare phase gets stuck in the "update-working-copy" (the first) step.
This is because the svn command issued by continuum is:
svn --username xxxxx --password abcdef\ --non-interactive ...
which means that the space between the password and the space before the
--non-interactive option is escaped, which in turn means that this
option is not seen at all, and since the password is incorrect, it goes
ahead and tries to prompt the user for their correct password in the
command line, so the process hangs (found that by running a:
ps -edf | grep svn
on the server).
The username and password should be shell-escaped to avoid this. (Imagine
the disaster if the user enters a password ";my-malicious-command" )
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-2577) Subversion login and password are
not properly escaped in svn shell invocation from release prepare
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated CONTINUUM-2577:
------------------------------------
Fix Version/s: 1.4.1 (Beta)
> Subversion login and password are not properly escaped in svn shell invocation from release prepare
> ---------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-2577
> URL: http://jira.codehaus.org/browse/CONTINUUM-2577
> Project: Continuum
> Issue Type: Bug
> Environment: Linux
> Reporter: Olivier Dehon
> Fix For: 1.4.1 (Beta)
>
>
> When preparing a release, if the user mistypes their
> subversion password and adds a backslash at the end, then the release
> prepare phase gets stuck in the "update-working-copy" (the first) step.
> This is because the svn command issued by continuum is:
>
> svn --username xxxxx --password abcdef\ --non-interactive ...
> which means that the space between the password and the space before the
> --non-interactive option is escaped, which in turn means that this
> option is not seen at all, and since the password is incorrect, it goes
> ahead and tries to prompt the user for their correct password in the
> command line, so the process hangs (found that by running a:
> ps -edf | grep svn
> on the server).
> The username and password should be shell-escaped to avoid this. (Imagine
> the disaster if the user enters a password ";my-malicious-command" )
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira