Re: Git cvsserver serious issue

On Thu, Oct 7, 2010 at 16:07, Andrew Dunstan <andrew@dunslane.net> wrote:
>
> On 10/07/2010 09:44 AM, Magnus Hagander wrote:
>>
>> On Thu, Oct 7, 2010 at 15:16, Andrew Dunstan<andrew@dunslane.net>  wrote:
>>>
>>> On 09/23/2010 01:18 PM, Aidan Van Dyk wrote:
>>>>
>>>> On Thu, Sep 23, 2010 at 11:49 AM, Tom Lane<tgl@sss.pgh.pa.us>    wrote:
>>>>>
>>>>> Magnus Hagander<magnus@hagander.net>    writes:
>>>>>>
>>>>>> On Thu, Sep 23, 2010 at 17:32, Andrew Dunstan<andrew@dunslane.net>
>>>>>>  wrote:
>>>>>>>
>>>>>>> Are we sure that's going to stop the DOS issue?
>>>>>>
>>>>>> As long as it's done right, I don't see how it wouldn't.
>>>>>
>>>>> There might be a cleaner way to do it, but after a moment's inspection
>>>>> of the script, I'd be inclined to just hack GITCVS::updater->new() to
>>>>> throw error if $module is neither "master" nor "REL\d_\d_STABLE".
>>>>> Keep in mind of course that I'm a lousy Perl coder.
>>>>
>>>> Here's a quick change that will allow you to specifig a "modules" in
>>>> the gitcvs section to export, like:
>>>>     [gitcvs]
>>>>          enabled=1
>>>>          modules=master,REL9_0_STABLE,REL8_4_STABLE
>>>>
>>>> --- git-cvsserver.orig  2010-09-23 12:03:06.000000000 -0400
>>>> +++ git-cvsserver       2010-09-23 13:16:53.000000000 -0400
>>>> @@ -2771,6 +2771,12 @@
>>>>
>>>>      die "Git repo '$self->{git_path}' doesn't exist" unless ( -d
>>>> $self->{git_path} );
>>>>
>>>> +    if (defined $cfg->{gitcvs}{modules})
>>>> +    {
>>>> +        $log->debug("Limitting modules: ". $cfg->{gitcvs}{modules});
>>>> +        die "Invalid module $module" unless map {/^ *$module$/}
>>>> split(',', $cfg->{gitcvs}{modules});
>>>> +    }
>>>> +
>>>>      $self->{dbdriver} = $cfg->{gitcvs}{$state->{method}}{dbdriver} ||
>>>>          $cfg->{gitcvs}{dbdriver} || "SQLite";
>>>>      $self->{dbname} = $cfg->{gitcvs}{$state->{method}}{dbname} ||
>>>
>>> OK, let's go with that. I was kinda hoping that we wouldn't have to do
>>> this
>>> at all, but Stefan has been having serious problems getting git to build
>>> and
>>> run on spoonbill, and I don't want to take up more of his time or be
>>> without
>>> it for very long.
>>
>> Are we doing this *just* for spoonbill? If so, it's a lot easier to
>> just filter-by-IP, so we don't have to maintain a patched version...
>>
>
> That's the only one I know of - there could certainly be others - but if
> we're going to support continued CVS use I want to be able to test it, and I
> don't have a static IP address. Can you filter by name lookup? I have a
> dyndns name.

No, filtering is by IP. ssh forwarding might work.


> OTOH, this patch seems pretty small and simple to maintain.

True, it is rather small.

Does anybody know if there's an automated way to maintain that on
freebsd ports, and if so, how that works? I want to be *sure* we can't
accidentally upgrade git-cvsserver *without* the patch, since that is
a security issue.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/