Package: viewvc
Version: 1.0.3-2
Severity: critical
Tags: security patch
Justification: causes serious data loss

Hello,

viewvc provides a "forbidden" configuration option to forbid access to
parts of a repository, but only *directory* listing is forbidden.  An
attacker who guesses a file name can still view the file directly, even
old revisions of the file.

--- viewvc.py.orig      2007-03-29 16:06:39.000000000 -0400
+++ viewvc.py   2007-03-29 16:06:59.000000000 -0400
@@ -328,7 +328,7 @@
           needs_redirect = 1
 
     # If this is a forbidden directory, stop now
-    if self.path_parts and self.pathtype == vclib.DIR \
+    if self.path_parts \
            and cfg.is_forbidden(self.path_parts[0]):
       raise debug.ViewVCException('%s: unknown location' % path_parts[0],
                                    '404 Not Found')

Thanks,
        Ken

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)

-- 
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
As the choice is essentially cosmetic there will likely be no end to
the debate on what the correct decision should be.
http://successor-ml.org/index.php?title=Quoting/anti-quoting

Attachment: signature.asc
Description: Digital signature

Reply via email to