Re: plugins page links are broken

Wed, 23 May 2007 17:30:10 -0700 

Ask Bjørn Hansen wrote:
> 
> On May 23, 2007, at 9:40 AM, JT Moree wrote:
> 
>> http://wiki.qpsmtpd.org/plugins
>>
>> The links to some (most?) plugins from this page are not working.  well
>> more precisely the svn that is linked to is not working.  For example,
>>
>> http://svn.perl.org/viewcvs/qpsmtpd/trunk/plugins/check_badmailfrom
> 
> That's odd.
> 
> Like this
>  
> http://svn.perl.org/viewcvs/qpsmtpd/trunk/plugins/check_badmailfrom?view=markup&rev=HEAD
> 
> 
> it works ...
> 
Someone has disabled the CheckoutView view option in ViewVC.  It needs
to be re-enabled.

SECURITY INFORMATION
--------------------

ViewVC provides a feature which allows version controlled content to
be served to web browsers just like static web server content.  So, if
you have a directory full of interrelated HTML files that is housed in
your version control repository, ViewVC can serve those files as HTML.
You'll see in your web browser what you'd see if the files were part
of your website, with working references to stylesheets and images and
links to other pages.

It is important to realize, however, that as useful as that feature
is, there is some risk security-wise in its use.  Essentially, anyone
with commit access to the CVS or Subversion repositories served by
ViewVC has the ability to affect site content.  If a discontented or
ignorant user commits malicious HTML to a version controlled file
(perhaps just by way of documenting examples of such), that malicious
HTML is effectively published and live on your ViewVC instance.
Visitors viewing those versioned controlled documents get the
malicious code, too, which might not be what the original author
intended.

If you wish to disable ViewVC's "checkout" view which implements this
feature, you can do so by editing lib/viewvc.py, and modifying the
function view_checkout() like so, adding the lines indicated:

      def view_checkout(request):
>>      raise debug.ViewVCException('Checkout view is disabled',
>>                                  '403 Forbidden')
        path, rev = _orig_path(request)
        fp, revision = request.repos.openfile(path, rev)

Regards

James Turnbull

-- 
James Turnbull <[EMAIL PROTECTED]>
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to