svn: properly escape arguments for authors-prog

Previously, the call to authors-prog was not properly escaped, so any special characters in the Subversion username, such as spaces and semi-colons, would be interpreted by the shell rather than being passed in as the first argument. Now all unsafe characters are escaped using "git rev-parse --sq-quote" [ew: switched from "\Q..\E" to "rev-parse --sq-quote"] Signed-off-by: Mark Lodato <lodatom@gmail.com> Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
git · Sep 13, 2009 · d3d7d47 · d3d7d47
1 parent 45c58ba
commit d3d7d47
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/git-svn.perl b/git-svn.perl
@@ -2810,6 +2810,7 @@ sub other_gs {
 
 sub call_authors_prog {
 	my ($orig_author) = @_;
+	$orig_author = command_oneline('rev-parse', '--sq-quote', $orig_author);
 	my $author = `$::_authors_prog $orig_author`;
 	if ($? != 0) {
 		die "$::_authors_prog failed with exit code $?\n"

diff --git a/t/t9138-git-svn-authors-prog.sh b/t/t9138-git-svn-authors-prog.sh
@@ -66,4 +66,18 @@ test_expect_success 'authors-file overrode authors-prog' '
 	)
 	'
 
+git --git-dir=x/.git config --unset svn.authorsfile
+git --git-dir=x/.git config --unset svn.authorsprog
+
+test_expect_success 'authors-prog handled special characters in username' '
+	svn mkdir -m bad --username "xyz; touch evil" "$svnrepo"/bad &&
+	(
+		cd x &&
+		git svn --authors-prog=../svn-authors-prog fetch &&
+		git rev-list -1 --pretty=raw refs/remotes/git-svn |
+		grep "^author xyz; touch evil <xyz; touch evil@example\.com> " &&
+		! test -f evil
+	)
+'
+
 test_done