Does the fact that there has been no response to the email below mean
that there is no interest in distributing this CGI script with
Subversion or that I have failed to attract the attention of the people
who would be involved in deciding whether to do so?
If the latter, can anyone suggest how I might attract their attention?
Thanks,
jik
-----Original Message-----
From: Jonathan Kamens
Sent: Thursday, February 14, 2008 11:37 AM
To: dev_at_subversion.tigris.org
Subject: Re: CGI script for self-administering password in svnserve
passwd files
Thanks for the code review!
On 02/13/2008 10:54 PM, David Glasser wrote:
> Big security hole: you take the "username" parameter directly from
> user input and interpolate it into a regexp. Don't do that :-)
>
Right you are. Fixed.
> Also, you probably want to update the file atomically (with a temp
> file and a rename). Wouldn't want svnserve to read a half-written
> file...
>
I had resisted doing this because I didn't want to require that the
password file be in its own directory that's writeable by apache, but I
suppose you're right that it's necessary, so fixed.
> And looks like if the user doesn't pass in a "repo" parameter,
> $passwd_file isn't defined... exciting times.
Not really exciting times, just an internal error, but I've now made
this more explicit.
> Not to mention the
> errors that happen if various parameters are the string "0" (though
> admittedly that's a rather poor username or password).
>
Wow, you're paranoid :-). Fixed, I believe.
I also added a few additional test cases and made the test suite work
again (some last-minute changes I made before posting the script broke
the tests).
I also added "-T" to the #! line to enable taint checks, for a slightly
higher level of paranoia.
A new version is attached, along with a diff. Please take a look.
Is there any interest in shipping this script with the distribution? If
there is, I'd be happy to commit to maintaining it.
jik
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-02-21 21:42:19 CET