[Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch]

cvs-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch]

From:	Larry Jones
Subject:	[Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch]
Date:	Tue, 29 Aug 2006 15:49:52 -0400 (EDT)

Derek R. Price writes:
> 
> Larry Jones wrote:
> >
> > path.  Have we already normalized or forbidden /../?
> 
> Not really.  The server verifies that there are not enough /../ to step
> above the top of its temp dir, but other than that, it is allowed.

Ah, that opens up a can of worms, then.  It would seem that "/../"
should also be normalized for similar reasons to why "/./" should, but
it's tricky in the presence of symlinks since "/a/b/../" isn't
necessarily the same as "/a/" if "b" is a symlink.  So, you really need
to expand symlinks during normalization, but that violates the rule that
messages comming out should match what the user put in even more than
just normalizing "//" and "/./" does.

-Larry Jones

I hate being good. -- Calvin

[Prev in Thread]

Current Thread

[Next in Thread]

[Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch], Derek R. Price, 2006/08/28
- [Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch], Larry Jones, 2006/08/28
  - [Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch], Derek R. Price, 2006/08/29
    - [Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch], Larry Jones <=

Prev by Date: [Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch]
Next by Date: [Cvs-dev] interesting security problem
Previous by thread: [Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch]
Next by thread: [Cvs-dev] interesting security problem
Index(es):
- Date
- Thread