--- lib/TWiki/Store/RcsWrap.pm.orig	Tue Mar  2 07:31:30 2004
+++ lib/TWiki/Store/RcsWrap.pm	Sun Feb 29 12:58:33 2004
@@ -157,8 +157,11 @@
     }
     $self->_saveFile( $self->file(), $text );
     $cmd = $self->{ciDateCmd};
+    $date =~ s/$TWiki::securityFilter//go;
     $cmd =~ s/%DATE%/$date/;
     $cmd =~ s/%USERNAME%/$user/;
+    $file =~ s/$TWiki::securityFilter//go;
+    $rcsFile =~ s/$TWiki::securityFilter//go;
     $cmd =~ s/%FILENAME%/$file $rcsFile/;
     $cmd =~ /(.*)/;
     $cmd = $1;       # safe, so untaint variable
@@ -383,8 +386,11 @@
     my $cmd = $self->{"ciCmd"};
     my $rcsOutput = "";
     $cmd =~ s/%USERNAME%/$userName/;
+    $file =~ s/$TWiki::securityFilter//go;
     $cmd =~ s/%FILENAME%/$file/;
-    $comment = "none" if ( ! $comment );
+    #$comment = "none" if ( ! $comment );
+    $comment = "none" unless( $comment );
+    $comment =~ s/[\"\'\`\;]//go;  # security, Codev.NoShellCharacterEscapingInFileAttachComment, MikeSmith
     $cmd =~ s/%COMMENT%/$comment/;
     $cmd =~ /(.*)/;
     $cmd = $1;       # safe, so untaint variable