From 8e34e2bd03c75f98fbc08a7f86bc2c85eae5f43b Mon Sep 17 00:00:00 2001 From: vrana Date: Mon, 4 Feb 2013 11:27:16 -0800 Subject: [PATCH] Fix dynamic string usage as safe input Test Plan: Copied the code in a script, changed `phutil_passthru()` to `echo csprintf()` and ran it. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4805 --- src/workflow/ArcanistCommitWorkflow.php | 29 ++++++++++--------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/src/workflow/ArcanistCommitWorkflow.php b/src/workflow/ArcanistCommitWorkflow.php index ab687250..9570c94d 100644 --- a/src/workflow/ArcanistCommitWorkflow.php +++ b/src/workflow/ArcanistCommitWorkflow.php @@ -144,15 +144,20 @@ EOTEXT $tmp_file = new TempFile(); Filesystem::writeFile($tmp_file, $message); - $command = $this->getSVNCommitCommand(); + $command = csprintf( + 'svn commit %Ls --encoding utf-8 -F %s', + $files, + $tmp_file); + + // make sure to specify LANG on non-windows systems to surpress any fancy + // warnings; see @{method:getSVNLangEnvVar}. + if (!phutil_is_windows()) { + $command = csprintf('LANG=%C %C', $this->getSVNLangEnvVar(), $command); + } + chdir($repository_api->getPath()); - $err = phutil_passthru( - $command, - $files, - $tmp_file - ); - + $err = phutil_passthru('%C', $command); if ($err) { throw new Exception("Executing 'svn commit' failed!"); } @@ -296,16 +301,6 @@ EOTEXT return $locale; } - private function getSVNCommitCommand() { - $command = 'svn commit %Ls --encoding utf-8 -F %s'; - // make sure to specify LANG on non-windows systems to surpress any fancy - // warnings; see @{method:getSVNLangEnvVar}. - if (!phutil_is_windows()) { - $command = 'LANG='.$this->getSVNLangEnvVar().' '.$command; - } - return $command; - } - private function runSanityChecks(array $revision) { $repository_api = $this->getRepositoryAPI(); $revision_id = $revision['id'];