[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [PATCH] cvs list and cvs rlog
From: |
Alastair J. Houghton |
Subject: |
RE: [PATCH] cvs list and cvs rlog |
Date: |
Sun, 12 Nov 2000 22:02:29 -0000 |
Oops. Found a security hole (not a major one - but it does let others
explore the directory structure outside your repository...). Try for
example
cvs list ../usr
The solution is of course to add the lines
/* Check the repository path */
if (pathname_levels (argv[0]) > 0)
{
error (0, 0, "`..'-relative repositories are not supported.");
error (1, 0, "illegal source repository");
}
to the very beginning of "list_proc" in "list.c" and
"rlog_list_proc" (Why did I call it this?! Consider it renamed to
"rlog_proc") in "log.c".
Regards,
Alastair.