Security issue: Full server path returned to the client

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security issue: Full server path returned to the client

From:	Wolfgang Loch
Subject:	Security issue: Full server path returned to the client
Date:	Mon, 15 Dec 2003 22:30:58 +0100

Client: cvs-1-12.3
Server: cvsnt-1.11.2
Protocol: :pserver:

I noticed the when you do a "cvs remove FILE" followed by "cvs commit",
the client shows the full path name of the file on the CVS server. I
consider this is a security risk. The client should never see the actual
path on the server.

On the other hand, the client should be allowed to specify full path
names on the client machine, independent of the protocol in use.
Currently you can work with full path names if you are using the :local:
protocol with UNC path names. But when you switch to another protocol,
your existing scripts will stop working. This can be quite suprising.

Wolfgang

[Prev in Thread]

Current Thread

[Next in Thread]

Security issue: Full server path returned to the client, Wolfgang Loch <=
- Re: Security issue: Full server path returned to the client, Larry Jones, 2003/12/15
  - Re: Security issue: Full server path returned to the client, Wolfgang Loch, 2003/12/16
- RE: Security issue: Full server path returned to the client, Jim.Hyslop, 2003/12/17
  - Re: Security issue: Full server path returned to the client, Wolfgang Loch, 2003/12/18
    - Re: Security issue: Full server path returned to the client, Larry Jones, 2003/12/18
    - Re: Security issue: Full server path returned to the client, Derek Robert Price, 2003/12/18

Prev by Date: Flowexpo2004-valve,pump,seal,flowmeter & instrument china 2004
Next by Date: 600.000.000TL ek gelir istermisiniz.
Previous by thread: Flowexpo2004-valve,pump,seal,flowmeter & instrument china 2004
Next by thread: Re: Security issue: Full server path returned to the client
Index(es):
- Date
- Thread