-On [20040211 17:32], Tom Lane (tgl@sss.pgh.pa.us) wrote:
>I think we probably ought to leave this turned off. From a security
>standpoint, it would scare me quite a lot for the cgi user to have write
>access to the CVS tree. Even though the annotation software itself may
>do nothing more risky than temporarily locking files, what of bugs that
>might allow someone to make more extensive changes?
Make sure to replace every call to 'cvs' with 'cvs -R'. This enables
read-only repository mode. Or set the relevant environment variable.
Note that cvs 1.12.x is more intelligent about locks.
--
Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / kita no mono
PGP fingerprint: 2D92 980E 45FE 2C28 9DB7 9D88 97E6 839B 2EAC 625B
http://www.tendra.org/ | http://diary.in-nomine.org/
Expansion of happiness is the purpose of life...