Bug 63989 (CVE-2004-0915)

We received the following report via vendor-sec.
The issue is public. Sounds uncritical, we should probably include
it if other security issues in subversion need to be fixed in the
future.

Date: Thu, 25 Nov 2004 12:32:25 +0100
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0915: Information leak in viewcvs

Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility
for viewing CVS and Subversion repositories via HTTP.  In both cases
the program doesn't honour the settings enough to hide certain
directories from the tar export.

Problem 1: hide_cvsroot doesn't work when a tar file is exported

Problem 2: forbidden is ignored when a tar file is exported

The attached patches patches for both version 0.9 and 1.0 which have
different code but are both vulnerable to these problems seem to fix
those.  Upstream is unresponsive unfortunately.

This is most probably not that critical since many CVS repositories
are available via anonymous CVS anyway and that one does support
neither of these options.

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

--- viewcvs.py.orig	2004-10-20 15:03:41.000000000 +0200
+++ viewcvs.py	2004-10-20 16:37:35.000000000 +0200
 def generate_tarball(out, relative, directory, tag, stack=[]):
   subdirs = [ ]
   rcs_files = [ ]
+  if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
+    return
+
   for file, pathname, isdir in get_file_data(directory):
     if pathname == _UNREADABLE_MARKER:
       continue
     if isdir:
+      if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
+        continue
+      if relative.find('/') == -1 and cfg.is_forbidden(file):
+        continue
       subdirs.append(file)
     else:
       rcs_files.append(file)
            '</body></html>\n')
     return
 
+  if where == 'CVSROOT' and cfg.options.hide_cvsroot:
+    print "Status: 400"
+    http_header()
+    print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
+           '<html><head>\n<title>400 Bad Request</title>\n'
+           '</head><body>\n'
+           '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
+           '</body></html>\n')
+    return
+
   ### look for GZIP binary
 
   # if we have a directory and the request didn't end in "/", then redirect

--- /usr/lib/python2.3/site-packages/viewcvs/viewcvs.py	2004-10-20 12:56:26.000000000 +0200
+++ viewcvs.py	2004-10-20 16:02:23.000000000 +0200
     # exist at the front or end of the path.
     path_parts = filter(None, string.split(path_info, '/'))
 
+    if (len(path_parts) > 0 and path_parts[0] == 'CVSROOT' and cfg.options.hide_cvsroot):
+	    raise debug.ViewCVSException('Access to "%s" is forbidden.'
+					 % path_parts[0], '403 Forbidden')
+
     if path_parts:
       # handle magic path prefixes
       if path_parts[0] == docroot_magic_path:
 def generate_tarball(out, request, tar_top, rep_top,
                      reldir, options, stack=[]):
   cvs = request.roottype == 'cvs'
-  if cvs and (rep_top == '' and 0 < len(reldir) and
-              reldir[0] == 'CVSROOT' and cfg.options.hide_cvsroot):
+  if (0 < len(rep_top) and rep_top[0] == 'CVSROOT' and cfg.options.hide_cvsroot):
+    return
+
+  if (0 < len(reldir) and reldir[0] == 'CVSROOT' and cfg.options.hide_cvsroot):
     return
 
-  if (rep_top == '' and cfg.is_forbidden(reldir[0])):
+  if (rep_top == [] and 0 < len(reldir) and cfg.is_forbidden(reldir[0])):
     return
 
   rep_path = rep_top + reldir
   rep_top = request.path_parts
   if len(rep_top):
     tar_top = rep_top[-1]
+    if cfg.is_forbidden(tar_top):
+      raise debug.ViewCVSException('Access to "%s" is forbidden.'
+				   % tar_top, '403 Forbidden')
   else:
     tar_top = request.rootname