Markus Schaber wrote on Fri, Jun 20, 2014 at 07:53:09 +0000: > Hi, > > See attached the third iteration of the patch. > > I did add coverage for the problems of arguments containing whitespace and > dashes, and did drop the example I got from the issue tracker, as it is > questionable whether that specific example really is a problem. > > > [[[ > Fix issue 3046 by adding a statement about quoting of parameters and > delimiting argument lists. Also add a hint about peg revisions, while we are > at it. > > * subversion/libsvn_repos/repos.c > (create_hooks): Add a hint about quoting of parameters and url > handling to the hook templates. > ]]] > > +#define HOOKS_QUOTE_ARGUMENTS_TEXT > \ > + "# CAUTION:" > NL \ > + "# For security reasons, you MUST always properly quote arguments when" > NL \ > + "# you use them, as those arguments could contain whitespace or other" > NL \ > + "# problematic characters. Additionally, you should delimit the list" > NL \ > + "# of options with \"--\" before passing the arguments, so malicious" > NL \ > + "# clients cannot bootleg unexpected options to the commands your" > NL \ > + "# script aims to execute." > NL \ > + "# For similar reasons, you should also add a trailing @ to URLs which" > NL \ > + "# are passed to SVN commands accepting URLs with peg revisions." NL
+1, thanks!
