|
From: | Derek Robert Price |
Subject: | Proposal to Remove Commit/Update-Prog Functionality |
Date: | Thu, 16 Jan 2003 14:35:43 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 |
Hey all,I don't hear much about anyone who uses this functionality and it is a fairly major security hole in CVS, effectively allowing any client with write access to execute arbitrary code on a CVS server, so I am proposing the functionality be removed.
Please note that I am proposing that the Checkin-prog and Update-prog commands be removed from the CVS protocol. This is different from the *info scripts that can be specified by the CVS administrator to run scripts at update and checkout.
Alternately, if there are major objections to this, the code could be #ifdef'd or options provided in the CVSROOT/config file to enable the functionality, but I'd prefer to disable it.
Derek -- *8^) Email: derek@ximbiot.com Get CVS support at <http://ximbiot.com>! -- I will not call the principal "spud head". I will not call the principal "spud head". I will not call the principal "spud head"... - Bart Simpson on chalkboard, _The Simpsons_
[Prev in Thread] | Current Thread | [Next in Thread] |