[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security issue: Full server path returned to the client
|
From: |
Larry Jones |
|
Subject: |
Re: Security issue: Full server path returned to the client |
|
Date: |
Mon, 15 Dec 2003 19:30:41 -0500 (EST) |
Wolfgang Loch writes:
>
> I noticed the when you do a "cvs remove FILE" followed by "cvs commit",
> the client shows the full path name of the file on the CVS server. I
> consider this is a security risk. The client should never see the actual
> path on the server.
Lots of CVS command echo the full path of the affected RCS file. Since
the user has specified the root of the repository in CVSROOT and the
relative path from there to the files in the initial checkout, I have a
hard time understanding how that can possibly be considered a security
risk.
> On the other hand, the client should be allowed to specify full path
> names on the client machine, independent of the protocol in use.
> Currently you can work with full path names if you are using the :local:
> protocol with UNC path names. But when you switch to another protocol,
> your existing scripts will stop working. This can be quite suprising.
Allowing absolute path names in client/server mode is very challenging.
(See the comments in server_pathname_check() in server.c) Feel free to
submit patches.
-Larry Jones
This sounds suspiciously like one of Dad's plots to build my character.
-- Calvin