bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proposal to Remove Commit/Update-Prog Functionality

From: Derek Robert Price
Subject: Proposal to Remove Commit/Update-Prog Functionality
Date: Thu, 16 Jan 2003 14:35:43 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 
Hey all,
I don't hear much about anyone who uses this functionality and it is a fairly major security hole in CVS, effectively allowing any client with write access to execute arbitrary code on a CVS server, so I am proposing the functionality be removed.
Please note that I am proposing that the Checkin-prog and Update-prog commands be removed from the CVS protocol. This is different from the *info scripts that can be specified by the CVS administrator to run scripts at update and checkout.
Alternately, if there are major objections to this, the code could be #ifdef'd or options provided in the CVSROOT/config file to enable the functionality, but I'd prefer to disable it. 

Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
I will not call the principal "spud head".
I will not call the principal "spud head".
I will not call the principal "spud head"...

         - Bart Simpson on chalkboard, _The Simpsons_
reply via email to
[Prev in Thread] Current Thread [Next in Thread]