Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' c
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig35C4BD3F83DF4AC340FCEBEC
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Moritz Naumann wrote:
> I recommend that users and distributors of earlier ViewVC and ViewCVS
> versions should either backport the patch which disables the 'checkout
> view' or the one which makes it optional and deactivate it by default.
> A less simple but less restrictive patch would introduce a content type=
> whitelisting approach.
Backporting this change will be overkill, I think. It includes
configuration bits for toggling enablement of various ViewVC views. For
most folks, though, this is one of those configure-once-and-never-look-ba=
ck
items. So, it might be easier to just hard-code the disablement. You ca=
n
do this by tweaking the function view_checkout() (found in lib/viewvc.py =
or
lib/viewcvs.py, depending on which software you're running) to raise an
Exception. Psuedo-patch for ViewVC:
def view_checkout(request):
+ raise debug.ViewVCException('Checkout view is disabled',
+ '403 Forbidden')
or for ViewCVS:
def view_checkout(request):
+ raise debug.ViewCVSException('Checkout view is disabled',
+ '403 Forbidden')
--=20
C. Michael Pilato <cmpilato@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
--------------enig35C4BD3F83DF4AC340FCEBEC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFGCqw2okEGqRcG/W4RAmtmAJ9xBBRl/yXaXJTGkLYr3yahPRXqtwCcCx0g
8m5ylzfbbWTEsu0BOnfpvnk=
=5tBQ
-----END PGP SIGNATURE-----
--------------enig35C4BD3F83DF4AC340FCEBEC--