> -----Original Message----- > From: Stefan Sperling [mailto:s...@elego.de] > Sent: zondag 4 oktober 2015 22:01 > To: Branko Čibej <br...@apache.org> > Cc: users@subversion.apache.org > Subject: Re: Bug report: The auto-props setting of svn:mime-type is > impossible to avoid. > > On Sun, Oct 04, 2015 at 09:16:04PM +0200, Branko Čibej wrote: > > On the other hand, I am surprised that the logic that uses libmagic > > isn't turned off with 'enable-auto-props=no'. After all, using libmagic > > is just a convenient extension to the definitions in the [auto-props] > > section. > > Recall that the idea was to make setting svn:mime-type convenient. > > Before we added this feature, people had to fiddle with their client > config, know what MIME-types are about, what useful values to set > them to, and keep their config consistent across all systems they > used since libmagic support pre-dates the svn:autoprops feature. > In a sane universe, almost nobody would ever bother setting it up that way. > > I am not opposed to the idea, though. But not because of the fairly > minor configurability issues raised in this thread. Rather, because > the more I learn about how libmagic actually works, the more potentially > dangerous, from the security point of view, it seems to be. > The libmagic parser could potentially cause security problems whenever > people are adding untrusted files to SVN. Which is a good reason to make > this feature opt-in.
I would support changing Subversion to -by default- disable this feature, unless it is enabled in the configuration (or some flag passed to 'svn add' in 1.10+). I'm not sure if I would call it a security problem when a user adds a file of their choosing to Subversion though :-) This whole discussion -in its many iterations- is one of the reasons why I never looked at enabling this feature on Windows. Bert