Full Disclosure mailing list archives
Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type fixation issue
From: "C. Michael Pilato" <cmpilato () collab net>
Date: Wed, 28 Mar 2007 13:56:06 -0400
Moritz Naumann wrote:
I recommend that users and distributors of earlier ViewVC and ViewCVS versions should either backport the patch which disables the 'checkout view' or the one which makes it optional and deactivate it by default. A less simple but less restrictive patch would introduce a content type whitelisting approach.
Backporting this change will be overkill, I think. It includes configuration bits for toggling enablement of various ViewVC views. For most folks, though, this is one of those configure-once-and-never-look-back items. So, it might be easier to just hard-code the disablement. You can do this by tweaking the function view_checkout() (found in lib/viewvc.py or lib/viewcvs.py, depending on which software you're running) to raise an Exception. Psuedo-patch for ViewVC: def view_checkout(request): + raise debug.ViewVCException('Checkout view is disabled', + '403 Forbidden') or for ViewCVS: def view_checkout(request): + raise debug.ViewCVSException('Checkout view is disabled', + '403 Forbidden') -- C. Michael Pilato <cmpilato () collab net> CollabNet <> www.collab.net <> Distributed Development On Demand
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Update: ViewCVS and ViewVC 'checkout view' content type fixation issue Moritz Naumann (Mar 28)
- Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type fixation issue C. Michael Pilato (Mar 28)