| From: | Jeroen Ruigrok/asmodai <asmodai(at)wxs(dot)nl> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-www(at)postgresql(dot)org |
| Subject: | Re: things currently broken/missing |
| Date: | 2004-02-11 17:27:47 |
| Message-ID: | 20040211172747.GR39523@nexus.ninth-circle.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
-On [20040211 17:32], Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>I think we probably ought to leave this turned off. From a security
>standpoint, it would scare me quite a lot for the cgi user to have write
>access to the CVS tree. Even though the annotation software itself may
>do nothing more risky than temporarily locking files, what of bugs that
>might allow someone to make more extensive changes?
Make sure to replace every call to 'cvs' with 'cvs -R'. This enables
read-only repository mode. Or set the relevant environment variable.
Note that cvs 1.12.x is more intelligent about locks.
--
Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / kita no mono
PGP fingerprint: 2D92 980E 45FE 2C28 9DB7 9D88 97E6 839B 2EAC 625B
http://www.tendra.org/ | http://diary.in-nomine.org/
Expansion of happiness is the purpose of life...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeroen Ruigrok/asmodai | 2004-02-11 22:16:19 | Re: things currently broken/missing |
| Previous Message | Tom Lane | 2004-02-11 16:49:52 | Re: things currently broken/missing |