Package: viewvc Version: 1.0.3-2 Severity: critical Tags: security patch Justification: causes serious data loss
Hello,
viewvc provides a "forbidden" configuration option to forbid access to
parts of a repository, but only *directory* listing is forbidden. An
attacker who guesses a file name can still view the file directly, even
old revisions of the file.
--- viewvc.py.orig 2007-03-29 16:06:39.000000000 -0400
+++ viewvc.py 2007-03-29 16:06:59.000000000 -0400
@@ -328,7 +328,7 @@
needs_redirect = 1
# If this is a forbidden directory, stop now
- if self.path_parts and self.pathtype == vclib.DIR \
+ if self.path_parts \
and cfg.is_forbidden(self.path_parts[0]):
raise debug.ViewVCException('%s: unknown location' % path_parts[0],
'404 Not Found')
Thanks,
Ken
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
--
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
As the choice is essentially cosmetic there will likely be no end to
the debate on what the correct decision should be.
http://successor-ml.org/index.php?title=Quoting/anti-quoting
signature.asc
Description: Digital signature
