RE: [PATCH] cvs list and cvs rlog

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [PATCH] cvs list and cvs rlog

From:	Alastair J. Houghton
Subject:	RE: [PATCH] cvs list and cvs rlog
Date:	Sun, 12 Nov 2000 22:02:29 -0000

Oops. Found a security hole (not a major one - but it does let others
explore the directory structure outside your repository...). Try for
example

  cvs list ../usr

The solution is of course to add the lines

    /* Check the repository path */
    if (pathname_levels (argv[0]) > 0)
    {
        error (0, 0, "`..'-relative repositories are not supported.");
        error (1, 0, "illegal source repository");
    }
    
to the very beginning of "list_proc" in "list.c" and
"rlog_list_proc" (Why did I call it this?! Consider it renamed to
"rlog_proc") in "log.c".

Regards,

Alastair.

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] cvs list and cvs rlog, Alastair J. Houghton, 2000/11/12
- Re: [PATCH] cvs list and cvs rlog, Greg A. Woods, 2000/11/15
- RE: [PATCH] cvs list and cvs rlog, Alastair J. Houghton <=

Prev by Date: Re: Getting list of files in a module
Next by Date: cvsweb on NT
Previous by thread: Re: [PATCH] cvs list and cvs rlog
Next by thread: cvsweb on NT
Index(es):
- Date
- Thread