>>>>> "Karl" == Karl Fogel <[EMAIL PROTECTED]> writes:
Karl> Sorry -- good point. I'll look at it in detail when I'm looking at it
Karl> in detail, which will be early next week. In the meantime, I'll keep
Karl> my mouth shut. :-)
Karl> -K
Karl> Ian Lance Taylor <[EMAIL PROTECTED]> writes:
>> From: Karl Fogel <[EMAIL PROTECTED]>
>> Date: 28 Jul 2000 14:01:23 -0500
>>
>> Ian Lance Taylor <[EMAIL PROTECTED]> writes:
>> > This looks like a serious security problem. It appears to open
>> > anonymous CVS servers to a wide range of attack.
>>
>> It looks serious, but not for anonymous-only servers, since anonymous
>> users can't commit.
>>
>> What if I frob Update.prog? I don't claim to understand all the cases
>> here, but it appears that that will be run by `cvs update'.
>>
>> Ian
Any, correct me if I'm wrong:
Update.prog can only be frobbed by someone that has write permissions.
Yes, it will cause the program to be run on the server, and you can run
the programs under other people's (including read-only and anonymous
people)'s IDs, but the threat is still limited to those with write
permissions.
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson | now at 1575 Carling Avenue... still moving in
Personal: <A
HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">[EMAIL PROTECTED]</A>.
PGP key available.
Corporate: <A HREF="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A>.
