#27 file escape and pipe handle in CVS.pm

Bugfix
closed-fixed
5
2003-05-02
2002-08-13
No

Problems addressed:

1. possible security issue when opening a subshell for
co and rcsdiff

2. filenames/paths with unusual but benign characters
(e.g., spaces) fail checkout

Changes:

1. 'new FileHandle' lines replaced with three-option
open(), to open the pipe without a subshell that might
interpret bad characters

2. a new sub, 'cleanstring,' escapes some characters
and drops others

3. a couple of minor (pedantic) spelling/punctuation
changes

Possible new(ish) problems:

1. Some characters (|&!`;$%<> and control characters)
are now dropped rather than passed to co or rcsdiff.
Anyone using these in their file names will not be able
to access them (these characters don't belong in file
names IMO). For some characters, these files may have
worked before the patch. This can easily be changed if
there's a need for it.

2. FileHandle is no longer called to generate the file
handle refs. If there is a reason for calling it
instead of open() that escapes me, then there's now a
problem. Otherwise everything seems to be Just Fine
without it.

3. There _might_ be a problem with older versions of
Perl which cannot handle fork() on some systems (like
Windows). If it is a problem on these systems, perl
version 5.6+ is supposed to alleviate it.

I tested this patch on both Debian x86 and
Solaris/SPARC servers, and they work fine for me. Code
critiques, changes, complaints, and personal attacks
are welcome.

Discussion

  • Erik Stambaugh

    Erik Stambaugh - 2002-08-13

    pipe handle patch

     
  • Malcolm Box

    Malcolm Box - 2003-05-02

    Logged In: YES
    user_id=215386

    Fixed in latest CVS

     
  • Malcolm Box

    Malcolm Box - 2003-05-02
    • assigned_to: nobody --> mbox
    • status: open --> closed-fixed
     
  • Malcolm Box

    Malcolm Box - 2003-05-02

    Logged In: YES
    user_id=215386

    Fixed in latest CVS

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks