Ian Lance Taylor writes:
>
> This looks like a serious security problem. It appears to open
> anonymous CVS servers to a wide range of attack.
It's a known problem. Like it says in the Cederqvist manual (under
"Security considerations with password authentication"):
... once a user has non-read-only access to the repository, she
can execute programs on the server system through a variety of
means.
Fixing this will require some serious redesign -- the simplest fix would
be to just get rid of checkin and update programs, but I'm not sure how
people would feel about that.
-Larry Jones
Who, ME? Who?! Me?? WHO... Me?! Who, me??? -- Calvin
- [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Mike Castle
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
