svn: properly escape arguments for authors-prog

Previously, the call to authors-prog was not properly escaped, so any
special characters in the Subversion username, such as spaces and
semi-colons, would be interpreted by the shell rather than being passed
in as the first argument.  Now all unsafe characters are escaped using
"git rev-parse --sq-quote"

[ew: switched from "\Q..\E" to "rev-parse --sq-quote"]

Signed-off-by: Mark Lodato <lodatom@gmail.com>
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

2 files changed, 15 insertions, 0 deletions

diff --git a/git-svn.perl b/git-svn.perl
index d07581072..24bdbf5b8 100755
--- a/git-svn.perl
+++ b/git-svn.perl
@@ -2810,6 +2810,7 @@ sub other_gs {
 
 sub call_authors_prog {
 	my ($orig_author) = @_;
+	$orig_author = command_oneline('rev-parse', '--sq-quote', $orig_author);
 	my $author = `$::_authors_prog $orig_author`;
 	if ($? != 0) {
 		die "$::_authors_prog failed with exit code $?\n"
diff --git a/t/t9138-git-svn-authors-prog.sh b/t/t9138-git-svn-authors-prog.sh
index a4b00f2a3..83cc5fc9d 100755
--- a/t/t9138-git-svn-authors-prog.sh
+++ b/t/t9138-git-svn-authors-prog.sh
@@ -66,4 +66,18 @@ test_expect_success 'authors-file overrode authors-prog' '
 	)
 	'
 
+git --git-dir=x/.git config --unset svn.authorsfile
+git --git-dir=x/.git config --unset svn.authorsprog
+
+test_expect_success 'authors-prog handled special characters in username' '
+	svn mkdir -m bad --username "xyz; touch evil" "$svnrepo"/bad &&
+	(
+		cd x &&
+		git svn --authors-prog=../svn-authors-prog fetch &&
+		git rev-list -1 --pretty=raw refs/remotes/git-svn |
+		grep "^author xyz; touch evil <xyz; touch evil@example\.com> " &&
+		! test -f evil
+	)
+'
+
 test_done