Hi,
The attached patch fixes issue 3046 and also adds an hint wr/t peg revisions,
as inspired by danielsh on IRC.
[[[
Fix issue 3046 by adding a statement about quoting of parameters. Also
add a hint about peg revisions, while we are at it.
* subversion/libsvn_repos/repos.c
(create_hooks): Add a hint about quoting of parameters and url
Handling to the hook templates.
]]]
Best regards
Markus Schaber
CODESYS(r) a trademark of 3S-Smart Software Solutions GmbH
Inspiring Automation Solutions
3S-Smart Software Solutions GmbH
Dipl.-Inf. Markus Schaber | Product Development Core Technology
Memminger Str. 151 | 87439 Kempten | Germany
Tel. +49-831-54031-979 | Fax +49-831-54031-50
E-Mail: [email protected] | Web: http://www.codesys.com | CODESYS store:
http://store.codesys.com
CODESYS forum: http://forum.codesys.com
Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade
register: Kempten HRB 6186 | Tax ID No.: DE 167014915
Index: subversion/libsvn_repos/repos.c
===================================================================
--- subversion/libsvn_repos/repos.c (revision 1603773)
+++ subversion/libsvn_repos/repos.c (working copy)
@@ -280,6 +280,13 @@
"# http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ and"
NL \
"# http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/";
NL
+#define HOOKS_QUOTE_ARGUMENTS_TEXT \
+ "# CAUTION:" NL \
+ "# For security reasions, you MUST always properly qoute arguments when" NL \
+ "# you use them. For example, a malicious client could try to set a" NL \
+ "# revision property named \"foo; rm -rf /;\"." NL \
+ "# For similar reasons, you should also add a trailing @ to URLs which" NL \
+ "# are passed to SVN commands which accept URLs with peg revisions." NL
static svn_error_t *
create_hooks(svn_repos_t *repos, apr_pool_t *pool)
@@ -354,6 +361,8 @@
"# " NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -439,6 +448,8 @@
"#" NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -522,6 +533,8 @@
"#" NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -594,6 +607,8 @@
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"#" NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -681,6 +696,8 @@
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"#" NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -767,6 +784,8 @@
"# " NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
@@ -830,6 +849,8 @@
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -888,6 +909,8 @@
"# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL
"# but the basic idea is the same." NL
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter:" NL
"" NL
"REPOS=\"$1\"" NL
@@ -951,6 +974,8 @@
"# " NL
HOOKS_ENVIRONMENT_TEXT
"# " NL
+HOOKS_QUOTE_ARGUMENTS_TEXT
+"# " NL
"# Here is an example hook script, for a Unix /bin/sh interpreter." NL
PREWRITTEN_HOOKS_TEXT
"" NL
