Package: viewvc Version: 1.0.3-2 Severity: critical Tags: security patch Justification: causes serious data loss
Hello, viewvc provides a "forbidden" configuration option to forbid access to parts of a repository, but only *directory* listing is forbidden. An attacker who guesses a file name can still view the file directly, even old revisions of the file. --- viewvc.py.orig 2007-03-29 16:06:39.000000000 -0400 +++ viewvc.py 2007-03-29 16:06:59.000000000 -0400 @@ -328,7 +328,7 @@ needs_redirect = 1 # If this is a forbidden directory, stop now - if self.path_parts and self.pathtype == vclib.DIR \ + if self.path_parts \ and cfg.is_forbidden(self.path_parts[0]): raise debug.ViewVCException('%s: unknown location' % path_parts[0], '404 Not Found') Thanks, Ken -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8) -- Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig As the choice is essentially cosmetic there will likely be no end to the debate on what the correct decision should be. http://successor-ml.org/index.php?title=Quoting/anti-quoting
signature.asc
Description: Digital signature