logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>

svn commit: r1555 - branches/1.0.x/INSTALL: msg#00021

Subject: svn commit: r1555 - branches/1.0.x/INSTALL 
Author: cmpilato
Date: 2007-03-28 19:08:15-0700
New Revision: 1555

Modified:
   branches/1.0.x/INSTALL

Log:
* INSTALL
  (SECURITY INFORMATION): New section (copied from trunk).


Modified: branches/1.0.x/INSTALL
Url: 
http://viewvc.tigris.org/source/browse/viewvc/branches/1.0.x/INSTALL?view=diff&rev=1555&p1=branches/1.0.x/INSTALL&p2=branches/1.0.x/INSTALL&r1=1554&r2=1555
==============================================================================
--- branches/1.0.x/INSTALL      (original)
+++ branches/1.0.x/INSTALL      2007-03-28 19:08:15-0700
@@ -1,6 +1,7 @@
 CONTENTS
 --------
   TO THE IMPATIENT
+  SECURITY INFORMATION
   INSTALLING VIEWVC
   APACHE CONFIGURATION
   UPGRADING VIEWVC
@@ -71,6 +72,39 @@
     `INSTALLING VIEWVC' below is still recommended reading.
 
 
+SECURITY INFORMATION
+--------------------
+
+ViewVC provides a feature which allows version controlled content to
+be served to web browsers just like static web server content.  So, if
+you have a directory full of interrelated HTML files that is housed in
+your version control repository, ViewVC can serve those files as HTML.
+You'll see in your web browser what you'd see if the files were part
+of your website, with working references to stylesheets and images and
+links to other pages.
+
+It is important to realize, however, that as useful as that feature
+is, there is some risk security-wise in its use.  Essentially, anyone
+with commit access to the CVS or Subversion repositories served by
+ViewVC has the ability to affect site content.  If a discontented or
+ignorant user commits malicious HTML to a version controlled file
+(perhaps just by way of documenting examples of such), that malicious
+HTML is effectively published and live on your ViewVC instance.
+Visitors viewing those versioned controlled documents get the
+malicious code, too, which might not be what the original author
+intended.
+
+If you wish to disable ViewVC's "checkout" view which implements this
+feature, you can do so by editing lib/viewvc.py, and modifying the
+function view_checkout() like so, adding the lines indicated:
+
+      def view_checkout(request):
+>>      raise debug.ViewVCException('Checkout view is disabled',
+>>                                  '403 Forbidden')
+        path, rev = _orig_path(request)
+        fp, revision = request.repos.openfile(path, rev)
+
+
 INSTALLING VIEWVC
 ------------------

Try Searching:
servers, voip, java, networking, microsoft ...
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  svn commit: r1554 - trunk/INSTALL, cmpilato
Next by Date:  svn commit: r1556 - trunk/bin/svndbadmin, cmpilato
Previous by Thread:  svn commit: r1554 - trunk/INSTALL, cmpilato
Next by Thread:  svn commit: r1556 - trunk/bin/svndbadmin, cmpilato
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search
Recently Viewed:
user-groups.lin...    os.netbsd.ports...    web.webmin.tran...    version-control...    text.refdb.gene...    sourcemage.grim...    audio.emagic.so...    lang.eiffel.gob...    yellowdog.gener...    xfree86.newbie/...    programming.dom...    games.freeciv.c...    debian.devel.ww...    jakarta.gump/20...    emulators.freed...    nfs/2002-04/msg...    mail.spam.tmda....    kernel.ck/2005-...    freebsd.devel.c...    bug-tracking.bu...    hardware.avr.gc...    qnx.openqnx.dev...    cms.cold-fusion...    redhat.fedora.p...    ietf.ipv6/2002-...   
Home | blog view | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo