Re: mod_dav_svn not XML-escaping hook error messages

Mon, 14 Dec 2009 06:01:45 -0800 

Jon Foster wrote:
> I'd like to report a problem with mod_dav_svn and repository
> hooks.  I had a bug in my post-revprop-change script, but all I
> saw was:
> 
> > $ svn propedit --revprop -r 19 svn:log
> > svn: DAV request failed; it's possible that the repository's
> > pre-revprop-change hook either failed or is non-existent
> > svn: At least one property change failed; repository is unchanged
> > svn: XML data was not well-formed
> 
> It seems that mod_dav_svn doesn't escape special XML characters like
> "<" and ">" in the error messages from hook scripts.  This causes
> corrupt XML to be sent across the wire.  Here's a Wireshark capture
> of the response to the PROPPATCH:
[...]
> <D:responsedescription>
> post-revprop-change hook failed (exit code 1) with output:
> Traceback (most recent call last):
>   File "/srv/svn/kenny/hooks/post_revprop_change.py", line 9, in
> <module>
>     from some_module import some_function
> ImportError: cannot import name some_function
> </D:responsedescription>
[...]
> --- END WIRESHARK CAPTURE ---
> 
> The "<module>" part is invalid XML; but shouldn't mod_dav or
> mod_dav_svn be escaping this?
> 
> This seems to have been reported previously (with the "&"
> character not being escaped):
> 
> http://svn.haxx.se/users/archive-2007-05/0016.shtml
> 
> But I can't see it in the bug tracker.
> 
> I'm using Subversion 1.6.6 compiled from source, and the Apache
> package provided by Debian.

It looks like the problem has been there for years. I think this patch
should fix it. Do you feel like writing a regression test?

[[[
In mod_dav_svn, make error output from the post-commit hook XML-safe, to fix
the "invalid XML" error that occurred if a post-commit error message
contained "&" or "<" characters.

* subversion/mod_dav_svn/merge.c
  (dav_svn__merge_response): XML-quote the error string.
--This line, and those below, will be ignored--

Index: subversion/mod_dav_svn/merge.c
===================================================================
--- subversion/mod_dav_svn/merge.c      (revision 889737)
+++ subversion/mod_dav_svn/merge.c      (working copy)
@@ -252,7 +252,9 @@ dav_svn__merge_response(ap_filter_t *out
       post_commit_err_elem = apr_psprintf(pool,
                                           "<S:post-commit-err>%s"
                                           "</S:post-commit-err>",
-                                          post_commit_err);
+                                          apr_xml_quote_string(pool,
+                                                               post_commit_err,
+                                                               0));
     }
   else
     {
]]]

- Julian

Reply via email to