Re: Proposal to Remove Commit/Update-Prog Functionality

[David Sainty]

Fabulous!

I'm pretty sure that NetBSD disables these already in the in-tree cvs.

>>> Derek Robert Price <derek@ximbiot.com> 17/01/2003 08:35:43 >>>
Hey all,

I don't hear much about anyone who uses this functionality and it is a 
fairly major security hole in CVS, effectively allowing any client with 
write access to execute arbitrary code on a CVS server, so I am 
proposing the functionality be removed.

Please note that  I am proposing that the Checkin-prog and Update-prog 
commands be removed from the CVS protocol.  This is different from the 
*info scripts that can be specified by the CVS administrator to run 
scripts at update and checkout.

Alternately, if there are major objections to this, the code could be 
#ifdef'd or options provided in the CVSROOT/config file to enable the 
functionality, but I'd prefer to disable it.

Derek

-- 
                *8^)

Email: derek@ximbiot.com 

Get CVS support at <http://ximbiot.com>!
-- 
I will not call the principal "spud head".
I will not call the principal "spud head".
I will not call the principal "spud head"...

          - Bart Simpson on chalkboard, _The Simpsons_



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ccvs.cvshome.org 
For additional commands, e-mail: dev-help@ccvs.cvshome.org