On 28.03.2013 18:08, Daniel Shahaf wrote: > Ben Reser wrote on Thu, Mar 28, 2013 at 09:30:05 -0700: >> On Thu, Mar 21, 2013 at 10:41 AM, Branko Čibej <br...@wandisco.com> wrote: >>> However it would avoid a possible security issue or two as well. IMO our >>> documentation is correct and we should fix the code to behave as documented. >> I don't think we ever came to a conclusion on this. However, Bert had >> some important comments about how Windows handles the PATH on IRC. >> >> 17:19 Bert You need PATH to find shared libraries. And many tools >> rely >> on environment variables to find out things about the runtime >> environment. (E.g. system temp directory) >> 17:20 Bert There is no way to obtain that if you remove the >> variable >> >> Full discussion is here: >> http://colabti.org/irclogger/irclogger_log/svn-dev?date=2013-03-21 > Can we come up with a whitelist of envvars to keep? > (PATH, TEMP, TMP, TMPDIR, etc; don't have a windows box handy to examine)
I'm not sure I agree; this is what $repo/conf/hooks-env is for after all. It's true that Windows keeps "system" and "user" environment variables separate, and hook scripts will inherit from httpd (or svnserve) which, when run as a service, will only see the system environment. So what environment the hook script sees is strictly under the sysadmin's control. However, pretty much the same is true on Unix; so if we have a valid reason for starting with an empty environment there, we may as well do that on Windows, too. Although I can imagine the pain of migrating every Windows-based SVN server to a different scheme for setting the environment. -- Brane -- Branko Čibej Director of Subversion | WANdisco | www.wandisco.com
