doing a quick look, we're running an *ancient* version (not sure what
version):
# $Id: cvsweb.cgi,v 1.1.1.1 2001/10/03 12:24:53 root Exp $
vs 2.0.6 which is in FreeBSD ports:
# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.119.2.6 2002/09/26 20:56:05
scop Exp $
and:
The latest beta version, 2.9.2 on the web site at:
http://www.freebsd.org/projects/cvsweb.html
so, do we want to look at upgrading? :)
On Wed, 11 Feb 2004, Tom Lane wrote:
> Robert Treat <xzilla@users.sourceforge.net> writes:
> > On Wed, 2004-02-11 at 10:19, Marc G. Fournier wrote:
> >> Odd ... I just disabled it ... why would we want that ability enabled:
> >>
> >> # allow annotation of files
> >> # this requires rw-access to the
> >> # CVSROOT/history - file and rw-access
> >> # to the subdirectory to place the lock
> >> # so you maybe don't want it
> >>
> >> sounds to me like anyone with a web browser can write to CVS?
>
> > thats not what its supposed to do, though it does sound like thats what
> > it does from the instructions you've pasted. what its supposed to do is
> > give you a a breakdown of file changes per version, similar to this:
> > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/urchin5/Makefile?annotate=1.2
>
> I think we probably ought to leave this turned off. From a security
> standpoint, it would scare me quite a lot for the cgi user to have write
> access to the CVS tree. Even though the annotation software itself may
> do nothing more risky than temporarily locking files, what of bugs that
> might allow someone to make more extensive changes?
>
> The annotation display is kind of nice, but it doesn't strike me as
> useful enough to be worth taking any risks for. The people who are
> likely to need it all have local CVS copies and can just run "cvs anno"
> when they need it. (But then, I only find a use for this maybe a couple
> times a year. Perhaps other people depend on it more?)
>
> regards, tom lane
>
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664