[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Bug: committers can set arbitrary HTTP Headers on any file

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: 2007-08-10 20:50:49 CEST

Brian W. Fitzpatrick wrote:
> On 8/10/07, Ben Collins-Sussman <sussman@red-bean.com> wrote:
>> Well, um, it might be a security hole. Look at this paper:
>>
>> http://www.cgisecurity.com/lib/whitepaper_httpresponse.pdf
>
> And if I can set the body of the response to whatever I want, then
> surely *that's* a security hole, no?

Yeah, I think that's the key distinction here. The only people who can
cause this behavior are those with commit access to the repository. But if
they've gotten that far, the security hole isn't in your software -- it's in
your social network. :-)

-- 
C. Michael Pilato <cmpilato@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on Fri Aug 10 20:48:54 2007

This is an archived mail posted to the Subversion Dev mailing list.