bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security Breach Alert - CVS Home File Download Area Compromised


From: Bernd Petrovitsch
Subject: RE: Security Breach Alert - CVS Home File Download Area Compromised
Date: Wed, 26 Jan 2005 10:15:39 +0100

On Tue, 2005-01-25 at 22:45 -0800, Conrad T. Pino wrote:
> > From:  Larry Jones
> > Many browsers will automagically unzip the file without removing the .gz
> > from the file name -- that may be all that's going on.
> 
> I'd buy this concept if it were a consistent behavior.
>
> When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I get
> file sizes consistent with values on download page and a PGP signature check
> reports a valid file.
> 
> I'm still unable to download "*.gz.sig" for binaries with Internet Explorer
> 6 and the same download with Netscape 4.8 saves a zero length file.

Strange.

> Working your idea a bit further, the file received with Internet Explorer 6
> is the exact size and content of the uncompressed original which says "magic"
> is taking place but I'm not sure it's client side magic because I expect the
> client side "magic" to work against all servers and that's not currently true.
> 
> I get "magic" behavior with:

Which files/URLs exactly?

> https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92

With the .gz Files?

> and many other binary areas on CVS home but no "magic" with
> https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0

With the .bz2 files?

> and no "magic" with
> http://jakarta.apache.org/site/binindex.cgi
> either.

The web server may send MIME-Types and similar stuff with the delivered
file. The browser may interpret the MIME-Type and do something on it
(automatically or after asking the user or not at all or ...).

----  snip  ----
{5}wget -S
'https://ccvs.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz'
--10:09:46--  
[...]
10 Content-Type: text/plain
11 Content-Encoding: x-gzip
----  snip  ----
Assuming a "yes" on the above questions, I guess that IE (or whatever
HTTP-client you use) may handle .gz now and ignores .bz2.
And the client side behaviour should be configurable (for exactly the
reason you mentioned - checking md5 hashes) or you throw the HTTP-client
in the litter box.

        Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services




reply via email to

[Prev in Thread] Current Thread [Next in Thread]