Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type fixation issue
From: "C. Michael Pilato" <cmpilato () collab net>
Date: Wed, 28 Mar 2007 13:56:06 -0400

Moritz Naumann wrote:

I recommend that users and distributors of earlier ViewVC and ViewCVS
versions should either backport the patch which disables the 'checkout
view' or the one which makes it optional and deactivate it by default.
A less simple but less restrictive patch would introduce a content type
whitelisting approach.

Backporting this change will be overkill, I think.  It includes
configuration bits for toggling enablement of various ViewVC views.  For
most folks, though, this is one of those configure-once-and-never-look-back
items.  So, it might be easier to just hard-code the disablement.  You can
do this by tweaking the function view_checkout() (found in lib/viewvc.py or
lib/viewcvs.py, depending on which software you're running) to raise an
Exception.  Psuedo-patch for ViewVC:

   def view_checkout(request):
  +    raise debug.ViewVCException('Checkout view is disabled',
  +                                '403 Forbidden')

or for ViewCVS:

   def view_checkout(request):
  +    raise debug.ViewCVSException('Checkout view is disabled',
  +                                 '403 Forbidden')

C. Michael Pilato <cmpilato () collab net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Attachment: signature.asc
Description: OpenPGP digital signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]