| From: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-www(at)postgresql(dot)org |
| Subject: | Re: things currently broken/missing |
| Date: | 2004-02-11 16:35:58 |
| Message-ID: | 20040211123247.U40659@ganymede.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
doing a quick look, we're running an *ancient* version (not sure what
version):
# $Id: cvsweb.cgi,v 1.1.1.1 2001/10/03 12:24:53 root Exp $
vs 2.0.6 which is in FreeBSD ports:
# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.119.2.6 2002/09/26 20:56:05
scop Exp $
and:
The latest beta version, 2.9.2 on the web site at:
http://www.freebsd.org/projects/cvsweb.html
so, do we want to look at upgrading? :)
On Wed, 11 Feb 2004, Tom Lane wrote:
> Robert Treat <xzilla(at)users(dot)sourceforge(dot)net> writes:
> > On Wed, 2004-02-11 at 10:19, Marc G. Fournier wrote:
> >> Odd ... I just disabled it ... why would we want that ability enabled:
> >>
> >> # allow annotation of files
> >> # this requires rw-access to the
> >> # CVSROOT/history - file and rw-access
> >> # to the subdirectory to place the lock
> >> # so you maybe don't want it
> >>
> >> sounds to me like anyone with a web browser can write to CVS?
>
> > thats not what its supposed to do, though it does sound like thats what
> > it does from the instructions you've pasted. what its supposed to do is
> > give you a a breakdown of file changes per version, similar to this:
> > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/urchin5/Makefile?annotate=1.2
>
> I think we probably ought to leave this turned off. From a security
> standpoint, it would scare me quite a lot for the cgi user to have write
> access to the CVS tree. Even though the annotation software itself may
> do nothing more risky than temporarily locking files, what of bugs that
> might allow someone to make more extensive changes?
>
> The annotation display is kind of nice, but it doesn't strike me as
> useful enough to be worth taking any risks for. The people who are
> likely to need it all have local CVS copies and can just run "cvs anno"
> when they need it. (But then, I only find a use for this maybe a couple
> times a year. Perhaps other people depend on it more?)
>
> regards, tom lane
>
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy(at)hub(dot)org Yahoo!: yscrappy ICQ: 7615664
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-02-11 16:49:52 | Re: things currently broken/missing |
| Previous Message | Tom Lane | 2004-02-11 16:15:16 | Re: things currently broken/missing |