[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</stron
Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>
Fri, 2 Jan 2004 19:11:22 +0000
On Mon, Dec 15, 2003 at 10:24:47PM -0500, Derek Robert Price wrote:
>Steve McIntyre wrote:
>>Derek, are you sure the simple fix in modules.c to check for
>>!isabsolute() will fix the hole here? What about people specifying
>>../../../../../../<something> ? Probably the easiest fix for that is
>>to modify isabsolute() to check for .. entries in the path
>If you can send me a reproducible case where CVS doesn't abort with an
>error, I'll be happy to look into it, but I am pretty sure CVS has been
>catching the indirection case for years. Go ahead and try it.
Yup, you're right:
tack:/tmp/test$ cvs -d /home/cvs co ../cvs/test
cvs checkout: in directory ../cvs/test:
cvs checkout: `..'-relative repositories are not supported.
cvs [checkout aborted]: illegal source repository
Steve McIntyre, Cambridge, UK. address@hidden
We don't need no education.
We don't need no thought control.
Description: Digital signature
|[Prev in Thread]
||[Next in Thread]|
- Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>,
Steve McIntyre <=