[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <460AAC36.7090305@collab.net>
Date: Wed, 28 Mar 2007 13:56:06 -0400
From: "C. Michael Pilato" <cmpilato@...lab.net>
To: users@...wvc.tigris.org
Cc: dev@...wvc.tigris.org, Full Disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com, security@...ian.org,
security@...too.org, moderators@...db.org
Subject: Re: [viewvc-users] Update: ViewCVS and ViewVC
'checkout view' content type fixation issue
Moritz Naumann wrote:
> I recommend that users and distributors of earlier ViewVC and ViewCVS
> versions should either backport the patch which disables the 'checkout
> view' or the one which makes it optional and deactivate it by default.
> A less simple but less restrictive patch would introduce a content type
> whitelisting approach.
Backporting this change will be overkill, I think. It includes
configuration bits for toggling enablement of various ViewVC views. For
most folks, though, this is one of those configure-once-and-never-look-back
items. So, it might be easier to just hard-code the disablement. You can
do this by tweaking the function view_checkout() (found in lib/viewvc.py or
lib/viewcvs.py, depending on which software you're running) to raise an
Exception. Psuedo-patch for ViewVC:
def view_checkout(request):
+ raise debug.ViewVCException('Checkout view is disabled',
+ '403 Forbidden')
or for ViewCVS:
def view_checkout(request):
+ raise debug.ViewCVSException('Checkout view is disabled',
+ '403 Forbidden')
--
C. Michael Pilato <cmpilato@...lab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists