author: Jacques Vidrine <nectar@FreeBSD.org> 2004-01-21 16:27:56 +0000
committer: Jacques Vidrine <nectar@FreeBSD.org> 2004-01-21 16:27:56 +0000
commit: c8ae5f056296ca06d45a165f9c8588a777b19a89 (patch)
tree: 9496e7d6854aead54712d74c18df16c4466822de /contrib/cvs/src/modules.c
parent: 794bef18e711048a65f168af2fe57a60d766b685 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/contrib/cvs/src/modules.c b/contrib/cvs/src/modules.c
index b161e947bcb83..b2ded8de2ab04 100644
--- a/contrib/cvs/src/modules.c
+++ b/contrib/cvs/src/modules.c
@@ -159,6 +159,17 @@ do_module (db, mname, m_type, msg, callback_proc, where, shorten,
     }
 #endif
 
+    /* Don't process absolute directories.  Anything else could be a security
+     * problem.  Before this check was put in place:
+     *
+     *   $ cvs -d:fork:/cvsroot co /foo
+     *   cvs server: warning: cannot make directory CVS in /: Permission denied
+     *   cvs [server aborted]: cannot make directory /foo: Permission denied
+     *   $
+     */
+    if (isabsolute (mname))
+	error (1, 0, "Absolute module reference invalid: `%s'", mname);
+
     /* if this is a directory to ignore, add it to that list */
     if (mname[0] == '!' && mname[1] != '\0')
     {
author	Jacques Vidrine <nectar@FreeBSD.org>	2004-01-21 16:27:56 +0000
committer	Jacques Vidrine <nectar@FreeBSD.org>	2004-01-21 16:27:56 +0000
commit	c8ae5f056296ca06d45a165f9c8588a777b19a89 (patch)
tree	9496e7d6854aead54712d74c18df16c4466822de /contrib/cvs/src/modules.c
parent	794bef18e711048a65f168af2fe57a60d766b685 (diff)