lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Mar 2007 13:56:06 -0400
From: "C. Michael Pilato" <cmpilato@...lab.net>
To: users@...wvc.tigris.org
Cc: dev@...wvc.tigris.org, Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com, security@...ian.org,
	security@...too.org, moderators@...db.org
Subject: Re: [viewvc-users]	 Update: ViewCVS and ViewVC
 'checkout view' content type fixation issue

Moritz Naumann wrote:

> I recommend that users and distributors of earlier ViewVC and ViewCVS
> versions should either backport the patch which disables the 'checkout
> view' or the one which makes it optional and deactivate it by default.
> A less simple but less restrictive patch would introduce a content type
> whitelisting approach.

Backporting this change will be overkill, I think.  It includes
configuration bits for toggling enablement of various ViewVC views.  For
most folks, though, this is one of those configure-once-and-never-look-back
items.  So, it might be easier to just hard-code the disablement.  You can
do this by tweaking the function view_checkout() (found in lib/viewvc.py or
lib/viewcvs.py, depending on which software you're running) to raise an
Exception.  Psuedo-patch for ViewVC:

   def view_checkout(request):
  +    raise debug.ViewVCException('Checkout view is disabled',
  +                                '403 Forbidden')

or for ViewCVS:

   def view_checkout(request):
  +    raise debug.ViewCVSException('Checkout view is disabled',
  +                                 '403 Forbidden')

-- 
C. Michael Pilato <cmpilato@...lab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists