X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org
Received: from localhost (unknown [200.46.204.2])
	by svr1.postgresql.org (Postfix) with ESMTP
	id AB01AD1DCAC; Wed, 11 Feb 2004 16:40:39 +0000 (GMT)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
	with ESMTP id 89404-07; Wed, 11 Feb 2004 12:40:23 -0400 (AST)
Received: from ganymede.hub.org (u46n208.hfx.eastlink.ca [24.222.46.208])
	by svr1.postgresql.org (Postfix) with ESMTP
	id 8D4C5D1D8AE; Wed, 11 Feb 2004 12:40:24 -0400 (AST)
Received: by ganymede.hub.org (Postfix, from userid 1000)
	id 6BA2437510; Wed, 11 Feb 2004 12:35:58 -0400 (AST)
Received: from localhost (localhost [127.0.0.1])
	by ganymede.hub.org (Postfix) with ESMTP
	id 6ABC336528; Wed, 11 Feb 2004 12:35:58 -0400 (AST)
Date: Wed, 11 Feb 2004 12:35:58 -0400 (AST)
From: "Marc G. Fournier" <scrappy@postgresql.org>
X-X-Sender: scrappy@ganymede.hub.org
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Robert Treat <xzilla@users.sourceforge.net>,
	"Marc G. Fournier" <scrappy@postgresql.org>, pgsql-www@postgresql.org
Subject: Re: things currently broken/missing 
In-Reply-To: <21453.1076516116@sss.pgh.pa.us>
Message-ID: <20040211123247.U40659@ganymede.hub.org>
References: <1076509856.18024.90.camel@camel>
	<20040211110619.D40659@ganymede.hub.org>
	<1076514410.17920.94.camel@camel> <21453.1076516116@sss.pgh.pa.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Archive-Number: 200402/58
X-Sequence-Number: 3623


doing a quick look, we're running an *ancient* version (not sure what
version):

# $Id: cvsweb.cgi,v 1.1.1.1 2001/10/03 12:24:53 root Exp $

vs 2.0.6 which is in FreeBSD ports:

# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.119.2.6 2002/09/26 20:56:05
scop Exp $

and:

The latest beta version, 2.9.2 on the web site at:

        http://www.freebsd.org/projects/cvsweb.html

so, do we want to look at upgrading? :)

On Wed, 11 Feb 2004, Tom Lane wrote:

> Robert Treat <xzilla@users.sourceforge.net> writes:
> > On Wed, 2004-02-11 at 10:19, Marc G. Fournier wrote:
> >> Odd ... I just disabled it ... why would we want that ability enabled:
> >>
> >> # allow annotation of files
> >> # this requires rw-access to the
> >> # CVSROOT/history - file and rw-access
> >> # to the subdirectory to place the lock
> >> # so you maybe don't want it
> >>
> >> sounds to me like anyone with a web browser can write to CVS?
>
> > thats not what its supposed to do, though it does sound like thats what
> > it does from the instructions you've pasted. what its supposed to do is
> > give you a a breakdown of file changes per version, similar to this:
> > http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/urchin5/Makefile?annotate=1.2
>
> I think we probably ought to leave this turned off.  From a security
> standpoint, it would scare me quite a lot for the cgi user to have write
> access to the CVS tree.  Even though the annotation software itself may
> do nothing more risky than temporarily locking files, what of bugs that
> might allow someone to make more extensive changes?
>
> The annotation display is kind of nice, but it doesn't strike me as
> useful enough to be worth taking any risks for.  The people who are
> likely to need it all have local CVS copies and can just run "cvs anno"
> when they need it.  (But then, I only find a use for this maybe a couple
> times a year.  Perhaps other people depend on it more?)
>
> 			regards, tom lane
>

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664