[prev in list] [next in list] [prev in thread] [next in thread]
List: subversion-issues
Subject: [Issue 1209] New - dav_svn_deliver() is not doing any HTML or (real) XML path escaping
From: issues () subversion ! tigris ! org
Date: 2003-03-27 3:37:34
[Download RAW message or body]
http://subversion.tigris.org/issues/show_bug.cgi?id=1209
*** Old
--- New
***************
*** 0 ****
--- 1,56 ----
+ +============================================================================+
+ | dav_svn_deliver() is not doing any HTML or (real) XML path escaping |
+ +----------------------------------------------------------------------------+
+ | Issue #: 1209 Component: subversion |
+ | Status: NEW Version: current |
+ | Resolution: Platform: All |
+ | Issue type: DEFECT OS/Version: Linux |
+ | Priority: P3 Subcomponent: mod_dav_svn |
+ +----------------------------------------------------------------------------+
+ | Assigned To: issues@subversion |
+ | Reported By: danpat |
+ | QA Contact: issues@subversion |
+ | CC list: Cc: |
+ +----------------------------------------------------------------------------+
+ | Milestone: TargetMilestone: --- |
+ | URL: |
+ +============================================================================+
+ | DESCRIPTION |
+ It looks like mod_dav_svn isn't properly escaping characters
+ sent to the other end for display. Using the 0.20 release
+ (client and server):
+
+ $ touch \"testing\"
+ $ touch also\&testing
+ $ svn import http://test/repos .
+
+ Import works ok, repository looks fine, checkouts work ok. However,
+ access via WebDAV with a browser produces broken HTML and XML (depending
+ on the view configured in apache for that repository).
+
+ In HTML mode, I see:
+
+ <a href="%22testing%22">"testing"</a>
+ OK
+ <a href="also%26testing">also&testing</a>
+ broken, should be
+ >also&testing</a>
+
+
+ In XML mode, I see:
+
+ <file url="%22testing%22" name=""testing""/>
+ broken, should read
+ name=""testing""
+ <file url="also%26testing" name="also&testing"/>
+ broken, should read
+ name="also&testing"
+
+ Looking at r5480, the appropriate code is in
+ subversion/mod_dav_svn/repos.c, between lines 1950 and 1970. It looks
+ like the "name" variable needs to have entities escaped. I would
+ supply a patch, but I'm not at all familiar with the Apache or APR
+ apis, and I have no idea what function would achieve this (nor do
+ I have the time to hunt it down). ap_escape_uri is wrong, and it
+ doesn't look like ap_escape_html escapes the """ entities
+ (although I may be wrong on that, I've not tried it).
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@subversion.tigris.org
For additional commands, e-mail: issues-help@subversion.tigris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic