Bugzilla – Attachment 27441 Details for
Bug 63989
VUL-0: CVE-2004-0915: Information leak in viewcvs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
subversion.viewcvs.forbidden-hide_cvsroot_CAN-2004-0915.patch
subversion.viewcvs.forbidden-hide_cvsroot_CAN-2004-0915.patch (text/plain), 2.27 KB, created by
Olaf Hering
on 2005-01-07 04:45:44 UTC
(
hide
)
Description:
subversion.viewcvs.forbidden-hide_cvsroot_CAN-2004-0915.patch
Filename:
MIME Type:
Creator:
Olaf Hering
Created:
2005-01-07 04:45:44 UTC
Size:
2.27 KB
patch
obsolete
>Bugzilla Bug 48989 - VUL-0: Information leak in viewcvs > >Date: Thu, 25 Nov 2004 12:32:25 +0100 >From: Martin Schulze <joey@infodrom.org> >Subject: [vendor-sec] CAN-2004-0915: Information leak in viewcvs > >Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility >for viewing CVS and Subversion repositories via HTTP. In both cases >the program doesn't honour the settings enough to hide certain >directories from the tar export. > >Problem 1: hide_cvsroot doesn't work when a tar file is exported > >Problem 2: forbidden is ignored when a tar file is exported > >The attached patches patches for both version 0.9 and 1.0 which have >different code but are both vulnerable to these problems seem to fix >those. Upstream is unresponsive unfortunately. > >This is most probably not that critical since many CVS repositories >are available via anonymous CVS anyway and that one does support >neither of these options. > >Regards, > > Joey > >Index: lib/viewcvs.py >=================================================================== >RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v >retrieving revision 1.225 >diff -u -p -r1.225 viewcvs.py >--- lib/viewcvs.py 22 Jan 2004 01:48:58 -0000 1.225 >+++ lib/viewcvs.py 6 Jan 2005 18:54:49 -0000 >@@ -2241,9 +2241,12 @@ def generate_tarball_header(out, name, s > out.write(block) > > def generate_tarball_cvs(out, request, tar_top, rep_top, reldir, tag, stack=[]): >- if (rep_top == '' and 0 < len(reldir) and >- ((reldir[0] == 'CVSROOT' and cfg.options.hide_cvsroot) >- or cfg.is_forbidden(reldir[0]))): >+ if (0 < len(rep_top) and rep_top[0] == 'CVSROOT' and cfg.options.hide_cvsroot): >+ return >+ if (0 < len(reldir) and reldir[0] == 'CVSROOT' and cfg.options.hide_cvsroot): >+ return >+ >+ if (rep_top == [] and 0 < len(reldir) and cfg.is_forbidden(reldir[0])): > return > > rep_path = rep_top + reldir >@@ -2347,6 +2350,13 @@ def download_tarball(request): > query_dict = request.query_dict > rep_top = tar_top = request.path_parts > tag = query_dict.get('only_with_tag') >+ if len(rep_top): >+ tar_top = rep_top[-1] >+ if cfg.is_forbidden(tar_top): >+ raise debug.ViewCVSException('Access to "%s" is forbidden.' >+ % tar_top, '403 Forbidden') >+ else: >+ tar_top = request.path_parts > > ### look for GZIP binary >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=27441">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 63989
:
27420
| 27441