Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content t

To:	users@viewvc.tigris.org
Subject:	Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type fixation issue
From:	"C. Michael Pilato" <cmpilato@collab.net>
Date:	Wed, 28 Mar 2007 13:56:06 -0400
Cc:	Full Disclosure <full-disclosure@lists.grok.org.uk>, bugtraq@securityfocus.com, moderators@osvdb.org, dev@viewvc.tigris.org, security@debian.org, security@gentoo.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<460AA53F.1060902@moritz-naumann.com>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
Organization:	CollabNet, Inc.
References:	<45E351E5.3000806@moritz-naumann.com> <45E38D15.7090305@moritz-naumann.com> <460AA53F.1060902@moritz-naumann.com>
User-agent:	Thunderbird 1.5.0.10 (X11/20070306)

Moritz Naumann wrote:

> I recommend that users and distributors of earlier ViewVC and ViewCVS
> versions should either backport the patch which disables the 'checkout
> view' or the one which makes it optional and deactivate it by default.
> A less simple but less restrictive patch would introduce a content type
> whitelisting approach.

Backporting this change will be overkill, I think.  It includes
configuration bits for toggling enablement of various ViewVC views.  For
most folks, though, this is one of those configure-once-and-never-look-back
items.  So, it might be easier to just hard-code the disablement.  You can
do this by tweaking the function view_checkout() (found in lib/viewvc.py or
lib/viewcvs.py, depending on which software you're running) to raise an
Exception.  Psuedo-patch for ViewVC:

   def view_checkout(request):
  +    raise debug.ViewVCException('Checkout view is disabled',
  +                                '403 Forbidden')

or for ViewCVS:

   def view_checkout(request):
  +    raise debug.ViewCVSException('Checkout view is disabled',
  +                                 '403 Forbidden')

-- 
C. Michael Pilato <cmpilato@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

signature.asc
Description: OpenPGP digital signature

<Prev in Thread]	Current Thread	[Next in Thread>
Update: ViewCVS and ViewVC 'checkout view' content type fixation issue, Moritz Naumann Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type fixation issue, C. Michael Pilato <=

Previous by Date:	Cisco Security Advisory: Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities, Cisco Systems Product Security Incident Response Team
Next by Date:	Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180), Tim Rees
Previous by Thread:	Update: ViewCVS and ViewVC 'checkout view' content type fixation issue, Moritz Naumann
Indexes:	[Date] [Thread] [Top] [All Lists]