bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: denial-of-service attack prohibits all users from creating new repos


From: Bruno Haible
Subject: Re: denial-of-service attack prohibits all users from creating new repositories
Date: Tue, 1 Jun 2010 21:07:21 +0200
User-agent: KMail/1.9.9

Hi Mark,

> The reason the check exists is because users were 'accidentally'
> creating new repositories inside of other repositories and 'avoiding'
> the existing real 'CVSROOT' trigger scripts for tagging and committing.
> 
> The code to check up the path to see if the new directory is nominally a
> subtree of an existing repository is to stop such behavior and could be
> considered a security feature to the integrity of a CVS repository
> (althogh, typically only 'important' if set-gid or set-uid cvs
> executables are involved).

But your security feature can too easily be circumvented: A user can
do "cvs init" on another machine and then copy the resulting CVSROOT
directory to the place where he wants to have it. Like this:
  $ cvs -d `pwd`/new init
  $ (cd new && tar cf - CVSROOT) | (ssh other-machine tar xf -)

Before I put in this workaround into 'autopoint', can you please tell me:

  1) Under which copyright are these files CVSROOT/* created by 'cvs init'?
     Are they public domain, or copyrighted? by whom?

  2) Do you intend to fill the hole in the security feature that I pointed
     out above? That is, to disallow the workaround in some way?

  3) Is there compatibility with the CVSROOT/* files between different
     versions of cvs? That is, will the infrastructure files from cvs 1.11
     work with cvs 1.12.14, and vice versa?

If I cannot use this workaround, I'll have to deprecate the configuration
option --with-cvs of GNU gettext, and enable --with-git by default instead.

Bruno



reply via email to

[Prev in Thread] Current Thread [Next in Thread]