2008/2/13 Jonathan Kamens <jonathan.kamens_at_tamalesoftware.com>:
>
>
>
>
> (I'm not on the dev list, so please CC me on your response.)
>
>
>
> Greetings,
>
>
>
> We're in the process of setting up Subversion in-house, and we want to use
> svnserve in stand-alone mode (don't want to use WebDAV because it's slower
> than svnserve, and don't want to use SSH because it's slower, has less
> access control and requires creating accounts for all the users on the
> Subversion server).
>
>
>
> When we started looking into how to set this up, we couldn't find any way to
> allow users to change their own repository passwords. Since we want users
> to be able to change their passwords, and since we don't want them to have
> to come to us to do it, I wrote a little Perl CGI script to allow them to do
> it themselves (so sue me, I haven't gotten around to learning Python yet
> :-).
>
>
>
> Perhaps we were wrong in believing that there was no supported way to do
> this. Perhaps someone else has already written such a CGI script which we
> simply missed in our search. But if neither of these things is true :-),
> then I'm wondering if there's any interest in including this script as a
> contributed tool in the Subversion distribution.
>
>
>
> I've attached the script for your consideration. Any feedback would be
> appreciated.
Big security hole: you take the "username" parameter directly from
user input and interpolate it into a regexp. Don't do that :-)
Also, you probably want to update the file atomically (with a temp
file and a rename). Wouldn't want svnserve to read a half-written
file...
And looks like if the user doesn't pass in a "repo" parameter,
$passwd_file isn't defined... exciting times. Not to mention the
errors that happen if various parameters are the string "0" (though
admittedly that's a rather poor username or password).
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-02-14 04:54:23 CET