[packages/cvs-nserver.git] / cvs-nserver-CAN-2003-0977-and-CAN-2004-0180.patch

diff -urN cvs-nserver-1.11.1.52.org/src/modules.c cvs-nserver-1.11.1.52/src/modules.c
--- cvs-nserver-1.11.1.52.org/src/modules.c	2004-05-23 02:51:33.243861768 +0200
+++ cvs-nserver-1.11.1.52/src/modules.c	2004-05-23 03:11:37.243825952 +0200
@@ -159,6 +159,24 @@
     }
 #endif
 
+    /* Don't process absolute directories.  Anything else could be a security
+     * problem.  Before this check was put in place:
+     *
+     *   $ cvs -d:fork:/cvsroot co /foo
+     *   cvs server: warning: cannot make directory CVS in /: Permission denied
+     *   cvs [server aborted]: cannot make directory /foo: Permission denied
+     *   $
+     */
+    if (isabsolute (mname))
+       error (1, 0, "Absolute module reference invalid: `%s'", mname);
+
+    /* Similarly for directories that attempt to step above the root of the
+     * repository.
+     */
+    if (pathname_levels (mname) > 0)
+       error (1, 0, "up-level in module reference (`..') invalid: `%s'.",
+               mname);
+
     /* if this is a directory to ignore, add it to that list */
     if (mname[0] == '!' && mname[1] != '\0')
     {
diff -urN cvs-nserver-1.11.1.52.org/src/client.c cvs-nserver-1.11.1.52/src/client.c
--- cvs-nserver-1.11.1.52.org/src/client.c	2004-05-23 02:51:33.285855384 +0200
+++ cvs-nserver-1.11.1.52/src/client.c	2004-05-23 03:18:06.134705552 +0200
@@ -663,6 +663,18 @@
     char *rdirp;
     int reposdirname_absolute;
 
+    /* For security reasons, if PATHNAME is absolute or attemps to ascend
+     * outside of the current sanbbox, we abort.  The server should not send us
+     * anything but relative paths which remain inside the sandbox here.
+     * Anything less means a trojan CVS server could create and edit arbitrary
+     * files on the client.
+     */
+    if (isabsolute (pathname) || pathname_levels (pathname) > 0)
+    {
+	error (0, 0, "Server attempted to update a file via an invalid pathname:");
+	error (1, 0, "`%s'.", pathname);
+    }
+
     reposname = NULL;
     read_line (&reposname);
     assert (reposname != NULL);
Commit	Line	Data
1e29e54b AM	1	diff -urN cvs-nserver-1.11.1.52.org/src/modules.c cvs-nserver-1.11.1.52/src/modules.c
	2	--- cvs-nserver-1.11.1.52.org/src/modules.c 2004-05-23 02:51:33.243861768 +0200
	3	+++ cvs-nserver-1.11.1.52/src/modules.c 2004-05-23 03:11:37.243825952 +0200
	4	@@ -159,6 +159,24 @@
	5	}
	6	#endif
	7
	8	+ /* Don't process absolute directories. Anything else could be a security
	9	+ * problem. Before this check was put in place:
	10	+ *
	11	+ * $ cvs -d:fork:/cvsroot co /foo
	12	+ * cvs server: warning: cannot make directory CVS in /: Permission denied
	13	+ * cvs [server aborted]: cannot make directory /foo: Permission denied
	14	+ * $
	15	+ */
	16	+ if (isabsolute (mname))
	17	+ error (1, 0, "Absolute module reference invalid: `%s'", mname);
	18	+
	19	+ /* Similarly for directories that attempt to step above the root of the
	20	+ * repository.
	21	+ */
	22	+ if (pathname_levels (mname) > 0)
	23	+ error (1, 0, "up-level in module reference (`..') invalid: `%s'.",
	24	+ mname);
	25	+
	26	/* if this is a directory to ignore, add it to that list */
	27	if (mname[0] == '!' && mname[1] != '\0')
	28	{
	29	diff -urN cvs-nserver-1.11.1.52.org/src/client.c cvs-nserver-1.11.1.52/src/client.c
	30	--- cvs-nserver-1.11.1.52.org/src/client.c 2004-05-23 02:51:33.285855384 +0200
	31	+++ cvs-nserver-1.11.1.52/src/client.c 2004-05-23 03:18:06.134705552 +0200
	32	@@ -663,6 +663,18 @@
	33	char *rdirp;
	34	int reposdirname_absolute;
	35
	36	+ /* For security reasons, if PATHNAME is absolute or attemps to ascend
	37	+ * outside of the current sanbbox, we abort. The server should not send us
	38	+ * anything but relative paths which remain inside the sandbox here.
	39	+ * Anything less means a trojan CVS server could create and edit arbitrary
	40	+ * files on the client.
	41	+ */
	42	+ if (isabsolute (pathname) \|\| pathname_levels (pathname) > 0)
	43	+ {
	44	+ error (0, 0, "Server attempted to update a file via an invalid pathname:");
	45	+ error (1, 0, "`%s'.", pathname);
	46	+ }
	47	+
	48	reposname = NULL;
	49	read_line (&reposname);
	50	assert (reposname != NULL);