Den tis 31 dec. 2024 kl 10:36 skrev Stefan Sperling <s...@stsp.name>:
> This change seems to be unnecessary to me. The stated motivation for it, > i.e. translating URLs to local paths in order to decide which local files > were modified, ignores risks which occur beyond the escaping of characters. > > If a mapping from repo URL to a local path is needed for scripting purposes > without any further processing, then the file or directory can be checked > out before diff --summarize is run. When provided a working copy path then > diff --summarize displays on-disk paths in local style, spaces and all. > So why not just use a working copy if local paths are required? > > When provided a URL, then diff --summarize displays a URL. > There should already be tools which decode URI-encoded data for use in > a script if that is needed. However, there are problems beyond characters > which require ecaping in a URL. Scripts should take precautions when > translating URLs to a local path in an automated way. The repository root > needs to be infered somehow, e.g. the repository-relative path for the URL > https://svn.apache.org/repos/asf/subversion/trunk/libsvn_client > is subversion/trunk/libsvn_client, and scripts would need to know this. > > Worse, paths need to be normalized before use because a malicious server > or proxy could return a URL containing paths components such as .. and > then overwrite files outside the intended working area. > > The SVN client covers such problems during checkout. Checking out a working > copy before operating on local paths is much safer than working from URLs. > Thanks Stefan for your thoughts on this, your comments uncovered even more problems with this change. I believe the reason was to "display names in human readable format", rather than to actually do local processing. Since this is only an issue when there is no WC, I was assuming they used it to check for example other branches than the current branch. The scripting issue wasn't even mentioned by the OP, it was my arguments for NOT making any changes. Anyway, the OP reviewed this thread and decided to retract the PR, so I'm only replying to have it in the e-mail archives as part of this thread. Cheers, Daniel
