'[Issue 1209] New - dav_svn_deliver() is not doing any HTML or (real) XML path escaping'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       subversion-issues
Subject:    [Issue 1209] New - dav_svn_deliver() is not doing any HTML or (real) XML path escaping
From:       issues () subversion ! tigris ! org
Date:       2003-03-27 3:37:34
[Download RAW message or body]

http://subversion.tigris.org/issues/show_bug.cgi?id=1209

*** Old
--- New
***************
*** 0 ****
--- 1,56 ----
+ +============================================================================+
+ | dav_svn_deliver() is not doing any HTML or (real) XML path escaping        |
+ +----------------------------------------------------------------------------+
+ |      Issue #: 1209                      Component: subversion              |
+ |       Status: NEW                         Version: current                 |
+ |   Resolution:                            Platform: All                     |
+ |   Issue type: DEFECT                   OS/Version: Linux                   |
+ |     Priority: P3                     Subcomponent: mod_dav_svn             |
+ +----------------------------------------------------------------------------+
+ |  Assigned To: issues@subversion                                            |
+ |  Reported By: danpat                                                       |
+ |   QA Contact: issues@subversion                                            |
+ |      CC list: Cc:                                                          |
+ +----------------------------------------------------------------------------+
+ |    Milestone: TargetMilestone: ---                                         |
+ |          URL:                                                              |
+ +============================================================================+
+ |                              DESCRIPTION                                   |
+ It looks like mod_dav_svn isn't properly escaping characters
+ sent to the other end for display.  Using the 0.20 release
+ (client and server):
+ 
+   $ touch \"testing\"
+   $ touch also\&testing
+   $ svn import http://test/repos .
+ 
+ Import works ok, repository looks fine, checkouts work ok.  However,
+ access via WebDAV with a browser produces broken HTML and XML (depending
+ on the view configured in apache for that repository).
+ 
+ In HTML mode, I see:
+ 
+   <a href="%22testing%22">"testing"</a>       
+     OK
+   <a href="also%26testing">also&testing</a>   
+     broken, should be 
+     >also&amp;testing</a>
+     
+ 
+ In XML mode, I see:
+ 
+   <file url="%22testing%22" name=""testing""/>      
+     broken, should read 
+     name="&quot;testing&quot;"
+   <file url="also%26testing" name="also&testing"/>
+     broken, should read 
+     name="also&amp;testing"
+ 
+ Looking at r5480, the appropriate code is in
+ subversion/mod_dav_svn/repos.c, between lines 1950 and 1970.  It looks
+ like the "name" variable needs to have entities escaped.  I would
+ supply a patch, but I'm not at all familiar with the Apache or APR
+ apis, and I have no idea what function would achieve this (nor do
+ I have the time to hunt it down).  ap_escape_uri is wrong, and it
+ doesn't look like ap_escape_html escapes the "&quot;" entities
+ (although I may be wrong on that, I've not tried it).
\ No newline at end of file

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@subversion.tigris.org
For additional commands, e-mail: issues-help@subversion.tigris.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic