Hi, The patch actually attached.
Best regards Markus Schaber CODESYS® a trademark of 3S-Smart Software Solutions GmbH Inspiring Automation Solutions 3S-Smart Software Solutions GmbH Dipl.-Inf. Markus Schaber | Product Development Core Technology Memminger Str. 151 | 87439 Kempten | Germany Tel. +49-831-54031-979 | Fax +49-831-54031-50 E-Mail: m.scha...@codesys.com | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com CODESYS forum: http://forum.codesys.com Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915 > -----Ursprüngliche Nachricht----- > Von: Markus Schaber [mailto:m.scha...@codesys.com] > Gesendet: Donnerstag, 19. Juni 2014 14:01 > An: Konstantin Kolinko > Cc: Subversion Dev (dev@subversion.apache.org) > Betreff: AW: [Patch] Fix for Issue 3046: document security > requirement for hook script arguments > > Hi, > > The second iteration of the patch to fix issue 3046 and also add a > hint wr/t peg revisions, as inspired by danielsh on IRC while > discussing issue 2349. This iteration fixes 2 typos. > > [[[ > Fix issue 3046 by adding a statement about quoting of parameters. > Also add a hint about peg revisions, while we are at it. > > * subversion/libsvn_repos/repos.c > (create_hooks): Add a hint about quoting of parameters and url > handling to the hook templates. > ]]] > > Best regards > > Markus Schaber > > CODESYS® a trademark of 3S-Smart Software Solutions GmbH > > Inspiring Automation Solutions > > 3S-Smart Software Solutions GmbH > Dipl.-Inf. Markus Schaber | Product Development Core Technology > Memminger Str. 151 | 87439 Kempten | Germany Tel. +49-831-54031-979 | > Fax +49-831-54031-50 > > E-Mail: m.scha...@codesys.com | Web: http://www.codesys.com | CODESYS > store: http://store.codesys.com CODESYS forum: > http://forum.codesys.com > > Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | > Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915 > > > -----Ursprüngliche Nachricht----- > > Von: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > > Gesendet: Donnerstag, 19. Juni 2014 13:45 > > An: Markus Schaber > > Cc: Subversion Dev (dev@subversion.apache.org) > > Betreff: Re: [Patch] Fix for Issue 3046: document security > requirement > > for hook script arguments > > > > 2014-06-19 15:08 GMT+04:00 Markus Schaber <m.scha...@codesys.com>: > > > Hi, > > > > > > The attached patch fixes issue 3046 and also adds an hint wr/t > peg > > revisions, as inspired by danielsh on IRC. > > > > > > [[[ > > > Fix issue 3046 by adding a statement about quoting of parameters. > > Also > > > add a hint about peg revisions, while we are at it. > > > > > > * subversion/libsvn_repos/repos.c > > > (create_hooks): Add a hint about quoting of parameters and url > > > Handling to the hook templates. > > > ]]] > > > > Interesting. > > > > A typo in the text: > > s/qoute/quote/ > > > > In commit message: > > s/Handling/handling/ > > > > Best regards, > > Konstantin Kolinko
Index: subversion/libsvn_repos/repos.c =================================================================== --- subversion/libsvn_repos/repos.c (revision 1603773) +++ subversion/libsvn_repos/repos.c (working copy) @@ -280,6 +280,13 @@ "# http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ and" NL \ "# http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/"; NL +#define HOOKS_QUOTE_ARGUMENTS_TEXT \ + "# CAUTION:" NL \ + "# For security reasions, you MUST always properly quote arguments when" NL \ + "# you use them. For example, a malicious client could try to set a" NL \ + "# revision property named \"foo; rm -rf /;\"." NL \ + "# For similar reasons, you should also add a trailing @ to URLs which" NL \ + "# are passed to SVN commands which accept URLs with peg revisions." NL static svn_error_t * create_hooks(svn_repos_t *repos, apr_pool_t *pool) @@ -354,6 +361,8 @@ "# " NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -439,6 +448,8 @@ "#" NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -522,6 +533,8 @@ "#" NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -594,6 +607,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "#" NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -681,6 +696,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "#" NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -767,6 +784,8 @@ "# " NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL @@ -830,6 +849,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -888,6 +909,8 @@ "# '"SCRIPT_NAME".bat' or '"SCRIPT_NAME".exe'," NL "# but the basic idea is the same." NL "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter:" NL "" NL "REPOS=\"$1\"" NL @@ -951,6 +974,8 @@ "# " NL HOOKS_ENVIRONMENT_TEXT "# " NL +HOOKS_QUOTE_ARGUMENTS_TEXT +"# " NL "# Here is an example hook script, for a Unix /bin/sh interpreter." NL PREWRITTEN_HOOKS_TEXT "" NL
