I originally wrote:
> > I used to be able to commit like this:
> > cvs commit -m"foo changes" foo.c ../include/foo.h
> > After upgrading to CVS 1.10.8, I get this error:
> > protocol error: '..' has too many ..
> > This worked in 1.10.1. Is this a bug, or was it incorporated to fix
some
> > other condition? If so, what was the reason?
Pavel Roskin, [EMAIL PROTECTED], replies:
> I believe this was a quick fix to close a security hole. Instead of
> checking that the target directory is still under the allowed root, CVS
> just forbids using ".." for some (not fot all) commands.
Larry Jones, [EMAIL PROTECTED] replies:
> I think this is a bug -- the client is supposed to tell the server how many
> levels of .. it expects to send and the server compensates, but when the
> code was rearranged to support multiple repositories the code to send
> the information was moved so that it happens too late in the process.
Ok, which is it? :) Bug or quick fix to a security problem?
Larry Jones, [EMAIL PROTECTED] continues:
> > If I pass the full pathname of the file (e.g.,
> > "$HOME/cvs/foo/include/foo.h"), I get
> > absolute pathname '/home/hal/cvs/foo/include' illegal for server
>
> This is intentional.
Was there some security problem associated with it? Do you recall the
details? Just a curiosity...
Thanks, guys!
:)hal mahaffey
