Hi,
"KOIE Hidetaka ($B8q9>1QN4(B)" wrote:
>
> From: Anton Lavrentiev <[EMAIL PROTECTED]>
> Subject: CVS release and status commands
> Date: Fri, 28 Jul 2000 01:20:15 +0900 (JST)
>
> | It seems that there is a bug in the current CVS release, 1.10.8, which
> | I have downloaded from www.cyc
KOIE Hidetaka writes:
>
> I fail to repeat. The working directory is removed cleanly.
The working directory is removed, but it is not removed from CVS/Entries
in the parent directory (assuming the parent directory has a CVS/Entries
file):
* SCRIPT: foo
#!/bin/sh
DIR=`pwd`/repo
[ -d $DIR ]
KOIE Hidetaka writes:
>
> cvs version command may not access a repository.
Why not? It doesn't seem like an unreasonable restriction to me.
> "valid-requests" is used instead of "noop",
> because "noop" command is not RQ_ROOTLESS.
It would make more sense to change noop to be rootless.
-Larr
From: [EMAIL PROTECTED] (Larry Jones)
Subject: Re: cvs version w/o repository.
Date: Sat, 29 Jul 2000 00:18:32 +0900 (JST)
| > cvs version command may not access a repository.
|
| Why not? It doesn't seem like an unreasonable restriction to me.
Beause:
`cvs version' displays it's ver
I'v understood. This is a quick fix:
*** release.c.org Sat Jul 29 02:49:45 2000
--- release.c Sat Jul 29 02:49:45 2000
*** release (argc, argv)
*** 268,273
--- 268,275
if (unlink_file_dir (thisarg) < 0)
error (0, errno, "deletion of di
> From: [EMAIL PROTECTED] (Larry Jones)
> Subject: Re: cvs version w/o repository.
> Date: Sat, 29 Jul 2000 00:18:32 +0900 (JST)
>
> | > cvs version command may not access a repository.
> |
> | Why not? It doesn't seem like an unreasonable restriction to me.
[smc] Wasn't "cvs
I wrote: [...]
> To see what version of CVS you're running locally, use "cvs -V"
[smc] I meant "cvs -v"
KOIE Hidetaka writes:
>
> I'v understood. This is a quick fix:
Too quick. It doesn't work if thisarg is a path rather than just a
simple name, and it doesn't work client/server (it only does the
deregister on the server).
This is my quick fix which is similar but avoids the first problem.
(L
Cameron, Steve writes:
>
> [smc] Wasn't "cvs version" recently introduced precisely so that
> you could
> see what version of CVS the _remote_ repository was running?
Yes, Hide-san's point was that you shouldn't have to specify a valid
root directory on the server just to find out wh
This looks like a serious security problem. It appears to open
anonymous CVS servers to a wide range of attack.
Ian
--- Start of forwarded message ---
To: [EMAIL PROTECTED]
Date: Fri, 28 Jul 2000 17:21:28 +0900
From: Tanaka Akira <[EMAIL PROTECTED]>
Subject: cvs security pr
Ian Lance Taylor <[EMAIL PROTECTED]> writes:
> This looks like a serious security problem. It appears to open
> anonymous CVS servers to a wide range of attack.
It looks serious, but not for anonymous-only servers, since anonymous
users can't commit.
The hole here, I think, is that someone who
Ian Lance Taylor writes:
>
> This looks like a serious security problem. It appears to open
> anonymous CVS servers to a wide range of attack.
It's a known problem. Like it says in the Cederqvist manual (under
"Security considerations with password authentication"):
... once a user ha
From: Karl Fogel <[EMAIL PROTECTED]>
Date: 28 Jul 2000 14:01:23 -0500
Ian Lance Taylor <[EMAIL PROTECTED]> writes:
> This looks like a serious security problem. It appears to open
> anonymous CVS servers to a wide range of attack.
It looks serious, but not for anonymous-only s
Sorry -- good point. I'll look at it in detail when I'm looking at it
in detail, which will be early next week. In the meantime, I'll keep
my mouth shut. :-)
-K
Ian Lance Taylor <[EMAIL PROTECTED]> writes:
>From: Karl Fogel <[EMAIL PROTECTED]>
>Date: 28 Jul 2000 14:01:23 -0500
>
>
Hello!
On 28 Jul 2000, Karl Fogel wrote:
> Sorry -- good point. I'll look at it in detail when I'm looking at it
> in detail, which will be early next week. In the meantime, I'll keep
> my mouth shut. :-)
I hope that there is no immediate danger. Look at serve_update_prog() - it
checks whethe
Ian Lance Taylor writes:
>
> What if I frob Update.prog? I don't claim to understand all the cases
> here, but it appears that that will be run by `cvs update'.
Update.prog just contains the name of the program to run, not the actual
code. If you can't commit, you can't upload arbitrary code t
Date: Fri, 28 Jul 2000 17:45:13 -0400 (EDT)
From: [EMAIL PROTECTED] (Larry Jones)
Ian Lance Taylor writes:
> What if I frob Update.prog? I don't claim to understand all the cases
> here, but it appears that that will be run by `cvs update'.
Update.prog just contains the name
Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT)
From: Pavel Roskin <[EMAIL PROTECTED]>
I hope that there is no immediate danger. Look at serve_update_prog() - it
checks whether commits are allowed and exits if they are not. It prints a
strange message though:
E Flag -u in modules n
Date: 28 Jul 2000 14:58:08 -0700
From: Ian Lance Taylor <[EMAIL PROTECTED]>
Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT)
From: Pavel Roskin <[EMAIL PROTECTED]>
I hope that there is no immediate danger. Look at serve_update_prog() - it
checks whether commits are allow
> Update.prog just contains the name of the program to run, not the actual
> code. If you can't commit, you can't upload arbitrary code to run, you
> can only run pre-existing code on the server, and you have no control
> over its input or arguments, so it's a very low-level threat.
cat "wget ft
On Fri, Jul 28, 2000 at 05:20:13PM -0400, Larry Jones wrote:
>-- the simplest fix would
> be to just get rid of checkin and update programs, but I'm not sure how
> people would feel about that.
It would probably remove any chance I have of getting t
21 matches
Mail list logo