bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security issue: Full server path returned to the client


From: Wolfgang Loch
Subject: Re: Security issue: Full server path returned to the client
Date: Wed, 17 Dec 2003 01:25:03 +0100

> Lots of CVS command echo the full path of the
> affected RCS file.  Since the user has specified
> the root of the repository in CVSROOT and the
> relative path from there to the files in the
> initial checkout, I have a hard time understanding
> how that can possibly be considered a security
> risk.

When using pserver protocol, the CVSROOT contains the server name and a
relative path (or even a virtual name) of the CVS repository. At least
that's true for cvsnt (don't know about Unix). But the RCS file name
that I saw, was something like
"F:/Company/RND/Repository/pat/to/module". The drive F: exists only on
the server machine and I don't want anybody to know about this. If fact,
no user needs to know that this server runs a Windows OS. Maybe it's not
security related and I'm just paranoid.


> Allowing absolute path names in client/server mode
> is very challenging. (See the comments in
> server_pathname_check() in server.c)  Feel free to
> submit patches.

I haven't looked at the internals yet. But I assumed that the client
should convert absolute path names to relative ones _before_ sending
them to the server.

Regards,
Wolfgang





reply via email to

[Prev in Thread] Current Thread [Next in Thread]