Filenames aren't escaped when rebuilding cvs history

RESOLVED FIXED

Status

Webtools Graveyard
Bonsai
RESOLVED FIXED
14 years ago
2 years ago

People

(Reporter: cls, Assigned: cls)

Tracking

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

14 years ago
I've been given the dubious task of setting up bonsai for a huge repository of
windows code.  I pulled the bonsai code from CVS trunk yesterday.  Apache timed
out after several attempts to rebuild the cvs history with this error message:

[Thu Sep 09 16:35:05 2004] [error] [client 10.1.214.46] (70007)The timeout
specified has expired: ap_content_length_filter: apr_bucket_read() failed,
referer: http://bonsai.company.com/bonsai/admin.cgi

The last file listed looked like:
/opt/cvsroot/./Appliance/SecureMail/WebUI/Installer/Registry
Entries/Attic/Default.rge,v

Looking at
http://lxr.mozilla.org/mozilla/source/webtools/bonsai/rebuildcvshistory.cgi#38 ,
it looks as though the value being passed to ProcessOneFile() isn't being
escaped when $rlog is called.  I'm guessing that this is causing rlog to fail or
hang (since it doesn't handle spaces either) and causing apache to time out.

This is odd because I was pretty certain that the Mozilla tree has filenames
with spaces and afaik, rebuilds work fine there.

Comment 1

14 years ago
we do have spaces in some directories, but i'm not sure we ever did a complete
rebuild of bonsai.mozilla.org
(Assignee)

Comment 2

14 years ago
Created attachment 158387 [details] [diff] [review]
Call shell_escape on rlog argument
(Assignee)

Comment 3

14 years ago
Created attachment 158393 [details] [diff] [review]
escape all rlog calls
Attachment #158387 - Attachment is obsolete: true

Comment 4

14 years ago
Comment on attachment 158393 [details] [diff] [review]
escape all rlog calls

i'd rather:

s/([ "'?&|!<>])/\\$1/g;

bonsai doesn't have common files does it :(
(Assignee)

Comment 5

14 years ago
Not sure what you mean by common files but I'll need to add () to the list as
well.  The rebuild timed out when running overnight due to a file with parens.

Comment 6

14 years ago
you have two identical functions in the patch, one for dolog and one for
rebuildcvshistory.
Assignee: tara → cls
(Assignee)

Comment 7

14 years ago
Oh, right.  That's because dolog.pl is copied into /cvsroot/CVSROOT and is meant
to run standalone.  I suppose we could make it use CGI.pl from the bonsai
installation but I didn't feel like the change was worth the added dependency.

Comment 8

14 years ago
oh right, i forgot about that. i'm fine with that duplication, i'd still like
you to use the single s/// expression. should we add []'s and ; to the list too?
(Assignee)

Comment 9

14 years ago
Created attachment 158669 [details] [diff] [review]
escape them all

Use single substitution expression and add $, (, ), [, ], ; & : to the escape
list.
Attachment #158393 - Attachment is obsolete: true

Updated

14 years ago
Attachment #158669 - Flags: review+
(Assignee)

Comment 10

14 years ago
Patch has been checked in.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
(Assignee)

Comment 11

14 years ago
Just made another minor checkin to dolog.pl.  We can only call shell_escape()
when invoking a system shell otherwise the standard perl functions will see an
incorrect filename.

Checking in webtools/bonsai/dolog.pl;
/cvsroot/mozilla/webtools/bonsai/dolog.pl,v  <--  dolog.pl
new revision: 1.17; previous revision: 1.16
done
OS: Solaris → All
Hardware: PC → All
(Assignee)

Updated

14 years ago
Blocks: 259248
(Assignee)

Comment 12

14 years ago
*** Bug 232575 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

14 years ago
No longer blocks: 259248
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.