[
https://issues.apache.org/jira/browse/SVN-3046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Zhakov updated SVN-3046:
-----------------------------
Fix Version/s: (was: 1.8-consider)
1.9.0
> document security requirement for hook script arguments
> -------------------------------------------------------
>
> Key: SVN-3046
> URL: https://issues.apache.org/jira/browse/SVN-3046
> Project: Subversion
> Issue Type: Bug
> Components: libsvn_repos
> Affects Versions: trunk
> Reporter: David Glasser
> Labels: bite-sized
> Fix For: 1.9.0
>
>
> {noformat:nopanel=true}
> Add explicit notes to the comments in the hook templates stating the fact that
> the argument values should always be "$QUOTED" in the hook script.
> This is especially important for the PROPNAME arguments to the revprop
> change scripts, which are essentially passed through blindly from the
> client. (There is a *client-side* validity check, which is
> irrelevant, and a check that it isn't an svn:wc: or svn:entry: prop;
> and perhaps mod_dav_svn imposes other restrictions that I'm not
> familiar with, but at least with svnserve a custom RA-driving client
> could totally set the "foo; rm -rf /;" property.
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
