[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security issue: Full server path returned to the client
From: |
Wolfgang Loch |
Subject: |
Re: Security issue: Full server path returned to the client |
Date: |
Wed, 17 Dec 2003 01:25:03 +0100 |
> Lots of CVS command echo the full path of the
> affected RCS file. Since the user has specified
> the root of the repository in CVSROOT and the
> relative path from there to the files in the
> initial checkout, I have a hard time understanding
> how that can possibly be considered a security
> risk.
When using pserver protocol, the CVSROOT contains the server name and a
relative path (or even a virtual name) of the CVS repository. At least
that's true for cvsnt (don't know about Unix). But the RCS file name
that I saw, was something like
"F:/Company/RND/Repository/pat/to/module". The drive F: exists only on
the server machine and I don't want anybody to know about this. If fact,
no user needs to know that this server runs a Windows OS. Maybe it's not
security related and I'm just paranoid.
> Allowing absolute path names in client/server mode
> is very challenging. (See the comments in
> server_pathname_check() in server.c) Feel free to
> submit patches.
I haven't looked at the internals yet. But I assumed that the client
should convert absolute path names to relative ones _before_ sending
them to the server.
Regards,
Wolfgang