Re: [HACKERS] Git cvsserver serious issue

Thu, 07 Oct 2010 07:08:24 -0700 


On 10/07/2010 09:44 AM, Magnus Hagander wrote:

On Thu, Oct 7, 2010 at 15:16, Andrew Dunstan<and...@dunslane.net>  wrote:


On 09/23/2010 01:18 PM, Aidan Van Dyk wrote:

On Thu, Sep 23, 2010 at 11:49 AM, Tom Lane<t...@sss.pgh.pa.us>    wrote:

Magnus Hagander<mag...@hagander.net>    writes:

On Thu, Sep 23, 2010 at 17:32, Andrew Dunstan<and...@dunslane.net>
  wrote:

Are we sure that's going to stop the DOS issue?

As long as it's done right, I don't see how it wouldn't.

There might be a cleaner way to do it, but after a moment's inspection
of the script, I'd be inclined to just hack GITCVS::updater->new() to
throw error if $module is neither "master" nor "REL\d_\d_STABLE".
Keep in mind of course that I'm a lousy Perl coder.

Here's a quick change that will allow you to specifig a "modules" in
the gitcvs section to export, like:
     [gitcvs]
          enabled=1
          modules=master,REL9_0_STABLE,REL8_4_STABLE

--- git-cvsserver.orig  2010-09-23 12:03:06.000000000 -0400
+++ git-cvsserver       2010-09-23 13:16:53.000000000 -0400
@@ -2771,6 +2771,12 @@

      die "Git repo '$self->{git_path}' doesn't exist" unless ( -d
$self->{git_path} );

+    if (defined $cfg->{gitcvs}{modules})
+    {
+        $log->debug("Limitting modules: ". $cfg->{gitcvs}{modules});
+        die "Invalid module $module" unless map {/^ *$module$/}
split(',', $cfg->{gitcvs}{modules});
+    }
+
      $self->{dbdriver} = $cfg->{gitcvs}{$state->{method}}{dbdriver} ||
          $cfg->{gitcvs}{dbdriver} || "SQLite";
      $self->{dbname} = $cfg->{gitcvs}{$state->{method}}{dbname} ||


OK, let's go with that. I was kinda hoping that we wouldn't have to do this
at all, but Stefan has been having serious problems getting git to build and
run on spoonbill, and I don't want to take up more of his time or be without
it for very long.

Are we doing this *just* for spoonbill? If so, it's a lot easier to
just filter-by-IP, so we don't have to maintain a patched version...




That's the only one I know of - there could certainly be others - but if 
we're going to support continued CVS use I want to be able to test it, 
and I don't have a static IP address. Can you filter by name lookup? I 
have a dyndns name.


OTOH, this patch seems pretty small and simple to maintain.

cheers

andrew

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers























					Reply via email to