124e3c539f
OBS-URL: https://build.opensuse.org/request/show/636901 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/cvs?expand=0&rev=39
25 lines
902 B
Diff
25 lines
902 B
Diff
Index: cvs-1.12.13/src/client.c
|
|
===================================================================
|
|
--- cvs-1.12.13.orig/src/client.c
|
|
+++ cvs-1.12.13/src/client.c
|
|
@@ -750,6 +750,19 @@ call_in_directory (const char *pathname,
|
|
|
|
assert (pathname);
|
|
|
|
+ /* For security reasons, if PATHNAME is absolute or attemps to ascend
|
|
+ * outside of the current sanbbox, we abort. The server should not send us
|
|
+ * anything but relative paths which remain inside the sandbox here.
|
|
+ * Anything less means a trojan CVS server could create and edit arbitrary
|
|
+ * files on the client.
|
|
+ */
|
|
+ if (ISABSOLUTE (pathname) || pathname_levels (pathname) > 0)
|
|
+ {
|
|
+ error (0, 0,
|
|
+ "Server attempted to update a file via an invalid pathname:");
|
|
+ error (1, 0, "`%s'.", pathname);
|
|
+ }
|
|
+
|
|
reposname = NULL;
|
|
read_line (&reposname);
|
|
assert (reposname);
|