lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Mar 2007 13:56:06 -0400
From: "C. Michael Pilato" <>
Cc:, Full Disclosure <>,,,,
Subject: Re: [viewvc-users]	 Update: ViewCVS and ViewVC
 'checkout view' content type fixation issue

Moritz Naumann wrote:

> I recommend that users and distributors of earlier ViewVC and ViewCVS
> versions should either backport the patch which disables the 'checkout
> view' or the one which makes it optional and deactivate it by default.
> A less simple but less restrictive patch would introduce a content type
> whitelisting approach.

Backporting this change will be overkill, I think.  It includes
configuration bits for toggling enablement of various ViewVC views.  For
most folks, though, this is one of those configure-once-and-never-look-back
items.  So, it might be easier to just hard-code the disablement.  You can
do this by tweaking the function view_checkout() (found in lib/ or
lib/, depending on which software you're running) to raise an
Exception.  Psuedo-patch for ViewVC:

   def view_checkout(request):
  +    raise debug.ViewVCException('Checkout view is disabled',
  +                                '403 Forbidden')

or for ViewCVS:

   def view_checkout(request):
  +    raise debug.ViewCVSException('Checkout view is disabled',
  +                                 '403 Forbidden')

C. Michael Pilato <>
CollabNet   <>   <>   Distributed Development On Demand

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists