Hello!
> Pavel Roskin, [EMAIL PROTECTED], replies:
>
> > I believe this was a quick fix to close a security hole. Instead of
> > checking that the target directory is still under the allowed root, CVS
> > just forbids using ".." for some (not fot all) commands.
>
> Larry Jones, [EMAIL PROTECTED] replies:
>
> > I think this is a bug -- the client is supposed to tell the server how many
> > levels of .. it expects to send and the server compensates, but when the
> > code was rearranged to support multiple repositories the code to send
> > the information was moved so that it happens too late in the process.
>
> Ok, which is it? :) Bug or quick fix to a security problem?
I didn't say it's not a bug. But I haven't considered how hard it may be
to "support multiple repositories" if the CVS client is allowed to go up.
> Was there some security problem associated with it? Do you recall the
> details? Just a curiosity...
No. It was just my first idea.
So just go to ".." and run CVS there. It should be safe.
Regards,
Pavel Roskin
