X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org
Received: from localhost (unknown [200.46.204.2])
	by svr1.postgresql.org (Postfix) with ESMTP
	id 65101D1B53C; Wed, 11 Feb 2004 17:29:39 +0000 (GMT)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (neptune.hub.org [200.46.204.2]) (amavisd-new, port 10024)
	with ESMTP id 11782-09; Wed, 11 Feb 2004 13:29:21 -0400 (AST)
Received: from 213-84-207-11.adsl.xs4all.nl (nexus.xs4all.nl [213.84.207.11])
	by svr1.postgresql.org (Postfix) with ESMTP
	id 07DF0D1D8AE; Wed, 11 Feb 2004 13:29:22 -0400 (AST)
Received: by 213-84-207-11.adsl.xs4all.nl (Postfix, from userid 1000)
	id 3CF6B1BD; Wed, 11 Feb 2004 18:27:47 +0100 (CET)
Date: Wed, 11 Feb 2004 18:27:47 +0100
From: Jeroen Ruigrok/asmodai <asmodai@wxs.nl>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Robert Treat <xzilla@users.sourceforge.net>,
	"Marc G. Fournier" <scrappy@postgresql.org>, pgsql-www@postgresql.org
Subject: Re: things currently broken/missing
Message-ID: <20040211172747.GR39523@nexus.ninth-circle.org>
References: <1076509856.18024.90.camel@camel>
	<20040211110619.D40659@ganymede.hub.org>
	<1076514410.17920.94.camel@camel> <21453.1076516116@sss.pgh.pa.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <21453.1076516116@sss.pgh.pa.us>
Organisation: Ninth Circle Enterprises
User-Agent: Mutt/1.5.5.1i
X-Virus-Scanned: by amavisd-new at postgresql.org
X-Archive-Number: 200402/60
X-Sequence-Number: 3625

-On [20040211 17:32], Tom Lane (tgl@sss.pgh.pa.us) wrote:
>I think we probably ought to leave this turned off.  From a security
>standpoint, it would scare me quite a lot for the cgi user to have write
>access to the CVS tree.  Even though the annotation software itself may
>do nothing more risky than temporarily locking files, what of bugs that
>might allow someone to make more extensive changes?

Make sure to replace every call to 'cvs' with 'cvs -R'.  This enables
read-only repository mode.  Or set the relevant environment variable.
Note that cvs 1.12.x is more intelligent about locks.

-- 
Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / kita no mono
PGP fingerprint: 2D92 980E 45FE 2C28 9DB7  9D88 97E6 839B 2EAC 625B
http://www.tendra.org/   | http://diary.in-nomine.org/
Expansion of happiness is the purpose of life...