Commits

Mark Lodato committed d3d7d47

svn: properly escape arguments for authors-prog

Previously, the call to authors-prog was not properly escaped, so any
special characters in the Subversion username, such as spaces and
semi-colons, would be interpreted by the shell rather than being passed
in as the first argument. Now all unsafe characters are escaped using
"git rev-parse --sq-quote"

[ew: switched from "\Q..\E" to "rev-parse --sq-quote"]

Signed-off-by: Mark Lodato <lodatom@gmail.com>
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

Comments (0)

Files changed (2)

 
 sub call_authors_prog {
 	my ($orig_author) = @_;
+	$orig_author = command_oneline('rev-parse', '--sq-quote', $orig_author);
 	my $author = `$::_authors_prog $orig_author`;
 	if ($? != 0) {
 		die "$::_authors_prog failed with exit code $?\n"

t/t9138-git-svn-authors-prog.sh

 	)
 	'
 
+git --git-dir=x/.git config --unset svn.authorsfile
+git --git-dir=x/.git config --unset svn.authorsprog
+
+test_expect_success 'authors-prog handled special characters in username' '
+	svn mkdir -m bad --username "xyz; touch evil" "$svnrepo"/bad &&
+	(
+		cd x &&
+		git svn --authors-prog=../svn-authors-prog fetch &&
+		git rev-list -1 --pretty=raw refs/remotes/git-svn |
+		grep "^author xyz; touch evil <xyz; touch evil@example\.com> " &&
+		! test -f evil
+	)
+'
+
 test_done