Re: Git cvsserver serious issue

On Thu, Sep 23, 2010 at 11:49 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> On Thu, Sep 23, 2010 at 17:32, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
>>> Are we sure that's going to stop the DOS issue?
>
>> As long as it's done right, I don't see how it wouldn't.
>
> There might be a cleaner way to do it, but after a moment's inspection
> of the script, I'd be inclined to just hack GITCVS::updater->new() to
> throw error if $module is neither "master" nor "REL\d_\d_STABLE".
> Keep in mind of course that I'm a lousy Perl coder.

Here's a quick change that will allow you to specifig a "modules" in
the gitcvs section to export, like:
[gitcvs]
enabled=1
modules=master,REL9_0_STABLE,REL8_4_STABLE

--- git-cvsserver.orig 2010-09-23 12:03:06.000000000 -0400
+++ git-cvsserver 2010-09-23 13:16:53.000000000 -0400
@@ -2771,6 +2771,12 @@

die "Git repo '$self->{git_path}' doesn't exist" unless ( -d
$self->{git_path} );

+ if (defined $cfg->{gitcvs}{modules})
+ {
+ $log->debug("Limitting modules: ". $cfg->{gitcvs}{modules});
+ die "Invalid module $module" unless map {/^ *$module$/}
split(',', $cfg->{gitcvs}{modules});
+ }
+
$self->{dbdriver} = $cfg->{gitcvs}{$state->{method}}{dbdriver} ||
$cfg->{gitcvs}{dbdriver} || "SQLite";
$self->{dbname} = $cfg->{gitcvs}{$state->{method}}{dbname} ||