/backup/builder.in.sv.gnu.org/usr/src/patched/cvs-patches/cvs-allow-root-regexp.patch
Patch | 359 lines | 342 code | 17 blank | 0 comment | 0 complexity | 31547e6baa432906ba1c75160bd3f428 MD5 | raw file
Possible License(s): GPL-3.0, GPL-2.0
- Index: ChangeLog
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/ChangeLog,v
- retrieving revision 1.1348
- retrieving revision 1.1349
- diff -u -r1.1348 -r1.1349
- --- ChangeLog 8 May 2007 12:35:53 -0000 1.1348
- +++ ChangeLog 9 May 2007 23:58:28 -0000 1.1349
- @@ -1,3 +1,8 @@
- +2007-05-09 Derek Price <derek@ximbiot.com>
- + and Sylvain Beucler <beuc@beuc.net>
- +
- + * NEWS: Documented --allow-root-regexp.
- +
- 2007-05-07 Derek Price <derek@ximbiot.com>
-
- * NEWS: Note removal of remote `cvs init'.
- Index: NEWS
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/NEWS,v
- retrieving revision 1.367
- retrieving revision 1.368
- diff -u -r1.367 -r1.368
- --- NEWS 8 May 2007 12:35:53 -0000 1.367
- +++ NEWS 9 May 2007 23:58:28 -0000 1.368
- @@ -23,6 +23,9 @@
- * When UseNewInfoFmtStrings is enabled, the %{vV} formats will now
- expose the real version instead of NONE for removed files.
-
- +* A new command line option, --allow-root-regexp, was added which allows
- +acceptable repositories to be specified using a list of regular expressions.
- +
- BUG FIXES
-
- * The CVS server will no longer allow clients to run `cvs init'.
- Index: doc/ChangeLog
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/doc/ChangeLog,v
- retrieving revision 1.978
- retrieving revision 1.979
- diff -u -r1.978 -r1.979
- --- doc/ChangeLog 8 May 2007 12:35:53 -0000 1.978
- +++ doc/ChangeLog 9 May 2007 23:44:25 -0000 1.979
- @@ -1,3 +1,8 @@
- +2007-05-09 Derek Price <derek@ximbiot.com>
- + and Sylvain Beucler <beuc@beuc.net>
- +
- + * cvs.texinfo: Document --allow-root-regexp.
- +
- 2007-05-07 Derek Price <derek@ximbiot.com>
-
- * cvsclient.text: Remove references to remote `init' command.
- Index: doc/cvs.texinfo
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/doc/cvs.texinfo,v
- retrieving revision 1.698
- retrieving revision 1.699
- diff -u -r1.698 -r1.699
- --- doc/cvs.texinfo 12 Sep 2006 20:30:25 -0000 1.698
- +++ doc/cvs.texinfo 9 May 2007 23:44:25 -0000 1.699
- @@ -2604,15 +2604,19 @@
- The @samp{--allow-root} option specifies the allowable
- @sc{cvsroot} directory. Clients which attempt to use a
- different @sc{cvsroot} directory will not be allowed to
- -connect. If there is more than one @sc{cvsroot}
- -directory which you want to allow, repeat the option.
- +connect. To allow a whole class of @sc{cvsroot}, specify
- +a regular expression to match allowed directories with the
- +@samp{--allow-root-regexp} option. These options may be
- +used in conjunction and both options may be repeated to
- +allow access to multiple @sc{cvsroot} directories and
- +classes of directories.
- (Unfortunately, many versions of @code{inetd} have very small
- limits on the number of arguments and/or the total length
- of the command. The usual solution to this problem is
- to have @code{inetd} run a shell script which then invokes
- @sc{cvs} with the necessary arguments.)
-
- - If your @code{inetd} wants a symbolic service
- +If your @code{inetd} wants a symbolic service
- name instead of a raw port number, then put this in
- @file{/etc/services}:
-
- @@ -12332,10 +12336,15 @@
-
- @table @code
- @item --allow-root=@var{rootdir}
- -Specify legal @sc{cvsroot} directory (server only) (not
- -in @sc{cvs} 1.9 and older). See @ref{Password
- +Specify acceptable @sc{cvsroot} directory (server only).
- +Appeared in @sc{cvs} 1.10. See @ref{Password
- authentication server}.
-
- +@item --allow-root-regexp=@var{rootdir}
- +Specify a regular expression which matches acceptable
- +@sc{cvsroot} directories (server only). Appeared in @sc{cvs}
- +1.12.14. See @ref{Password authentication server}.
- +
- @item -a
- Authenticate all communication (client only) (not in @sc{cvs}
- 1.9 and older). See @ref{Global options}.
- @@ -15944,6 +15953,7 @@
- specific reason for denying authorization. Check that
- the username and password specified are correct and
- that the @code{CVSROOT} specified is allowed by @samp{--allow-root}
- +or @samp{--allow-root-regexp}
- in @file{inetd.conf}. See @ref{Password authenticated}.
-
- @item cvs @var{command}: Bad root @var{directory}
- Index: doc/stamp-vti
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/doc/stamp-vti,v
- retrieving revision 1.200
- retrieving revision 1.201
- diff -u -r1.200 -r1.201
- --- doc/stamp-vti 8 May 2007 12:35:53 -0000 1.200
- +++ doc/stamp-vti 9 May 2007 23:44:25 -0000 1.201
- @@ -1,4 +1,4 @@
- -@set UPDATED 26 October 2006
- -@set UPDATED-MONTH October 2006
- +@set UPDATED 9 May 2007
- +@set UPDATED-MONTH May 2007
- @set EDITION 1.12.13.1
- @set VERSION 1.12.13.1
- Index: doc/version.texi
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/doc/version.texi,v
- retrieving revision 1.202
- retrieving revision 1.203
- diff -u -r1.202 -r1.203
- --- doc/version.texi 8 May 2007 12:35:53 -0000 1.202
- +++ doc/version.texi 9 May 2007 23:44:25 -0000 1.203
- @@ -1,4 +1,4 @@
- -@set UPDATED 26 October 2006
- -@set UPDATED-MONTH October 2006
- +@set UPDATED 9 May 2007
- +@set UPDATED-MONTH May 2007
- @set EDITION 1.12.13.1
- @set VERSION 1.12.13.1
- Index: src/ChangeLog
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/src/ChangeLog,v
- retrieving revision 1.3508
- retrieving revision 1.3509
- diff -u -r1.3508 -r1.3509
- --- src/ChangeLog 8 May 2007 12:35:53 -0000 1.3508
- +++ src/ChangeLog 9 May 2007 23:54:33 -0000 1.3509
- @@ -1,3 +1,19 @@
- +2007-05-09 Derek Price <derek@ximbiot.com>
- + for Sylvain Beucler <beuc@beuc.net>
- +
- + * main.c (main): Use new root_allow_regexp_add function, declare
- + new --allow-root-regexp option parameter.
- + * root.c: Added new functions root_allow_regexp_add and
- + root_allow_compare_regexp, new variables
- + root_allow_regexp. Modified root_allow_ok, root_allow_used and
- + root_allow_free. The code adds the matched repository path to
- + root_allow as if specified using --allow-root. --allow-root is not
- + mandatory anymore if --allow-root-regexp is used instead.
- + (Original 2001/2004 patches from Roland Mas <lolando@debian.org>.)
- +
- + * sanity.sh: Added test cases as pserver-3b and pserver-3c,
- + updated pserver-3.
- +
- 2007-05-07 Derek Price <derek@ximbiot.com>
-
- * mkmodules.c (init): Assert that the server is not active.
- Index: src/main.c
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/src/main.c,v
- retrieving revision 1.268
- retrieving revision 1.269
- diff -u -r1.268 -r1.269
- --- src/main.c 17 May 2006 15:24:30 -0000 1.268
- +++ src/main.c 9 May 2007 23:54:33 -0000 1.269
- @@ -576,6 +576,7 @@
- {"verify-arg", required_argument, NULL, 12},
- #ifdef SERVER_SUPPORT
- {"allow-root", required_argument, NULL, 3},
- + {"allow-root-regexp", required_argument, NULL, 14},
- {"timeout", required_argument, NULL, 13},
- #endif /* SERVER_SUPPORT */
- {0, 0, 0, 0}
- @@ -823,6 +824,10 @@
- /* --allow-root */
- root_allow_add (optarg, gConfigPath);
- break;
- + case 14:
- + /* --allow-root-regexp */
- + root_allow_regexp_add (optarg, gConfigPath);
- + break;
- case 13:
- /* --timeout */
- connection_timeout = strtol (optarg, &end, 10);
- Index: src/root.c
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/src/root.c,v
- retrieving revision 1.125
- retrieving revision 1.126
- diff -u -r1.125 -r1.126
- --- src/root.c 24 Apr 2006 18:50:27 -0000 1.125
- +++ src/root.c 9 May 2007 23:54:33 -0000 1.126
- @@ -285,6 +285,7 @@
- directories. Then we can check against them when a remote user
- hands us a CVSROOT directory. */
- static List *root_allow;
- +static List *root_allow_regexp;
-
- static void
- delconfig (Node *n)
- @@ -308,21 +309,65 @@
- }
-
- void
- +root_allow_regexp_add (const char *arg, const char *configPath)
- +{
- + Node *n;
- +
- + if (!root_allow_regexp) root_allow_regexp = getlist();
- + n = getnode();
- + n->key = xstrdup (arg);
- +
- + /* This is a regexp, not the final cvsroot path - we cannot attach
- + it a config. So we attach configPath and we'll root_allow_add()
- + the actual, matching root in root_allow_compare_regexp() */
- + n->data = (void*)configPath;
- +
- + addnode (root_allow_regexp, n);
- +}
- +
- +void
- root_allow_free (void)
- {
- dellist (&root_allow);
- + dellist (&root_allow_regexp);
- }
-
- bool
- root_allow_used (void)
- {
- - return root_allow != NULL;
- + return root_allow || root_allow_regexp;
- +}
- +
- +/* walklist() callback for determining if 'root_to_check' matches
- + n->key (a regexp). If yes, 'root_to_check' will be added as if
- + directly specified through --allow-root.
- + */
- +static int
- +root_allow_compare_regexp (Node *n, void *root_to_check)
- +{
- + int status;
- + regex_t re;
- +
- + if (regcomp(&re, n->key,
- + REG_EXTENDED|REG_NOSUB) != 0)
- + {
- + return 0; /* report error? */
- + }
- + status = regexec(&re, root_to_check, (size_t) 0, NULL, 0);
- + regfree(&re);
- + if (status == 0)
- + {
- + /* n->data contains gConfigPath */
- + root_allow_add (root_to_check, n->data);
- + return 1;
- + }
- + return 0;
- }
-
- bool
- root_allow_ok (const char *arg)
- {
- - if (!root_allow)
- + if (!root_allow_used())
- {
- /* Probably someone upgraded from CVS before 1.9.10 to 1.9.10
- or later without reading the documentation about
- @@ -334,12 +379,18 @@
- back "error" rather than waiting for the next request which
- expects responses. */
- printf ("\
- -error 0 Server configuration missing --allow-root in inetd.conf\n");
- +error 0 Server configuration missing --allow-root or --allow-root-regexp in inetd.conf\n");
- exit (EXIT_FAILURE);
- }
-
- + /* Look for 'arg' in the list of full-path allowed roots */
- if (findnode (root_allow, arg))
- return true;
- +
- + /* Match 'arg' against the list of allowed roots regexps */
- + if (walklist (root_allow_regexp, root_allow_compare_regexp, (void*)arg))
- + return true;
- +
- return false;
- }
-
- Index: src/root.h
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/src/root.h,v
- retrieving revision 1.24
- retrieving revision 1.25
- diff -u -r1.24 -r1.25
- --- src/root.h 24 Apr 2006 18:50:27 -0000 1.24
- +++ src/root.h 9 May 2007 23:54:33 -0000 1.25
- @@ -89,6 +89,7 @@
- __attribute__ ((__malloc__));
- void Create_Root (const char *dir, const char *rootdir);
- void root_allow_add (const char *, const char *configPath);
- +void root_allow_regexp_add (const char *, const char *configPath);
- void root_allow_free (void);
- bool root_allow_used (void);
- bool root_allow_ok (const char *);
- Index: src/sanity.sh
- ===================================================================
- RCS file: /cvsroot/cvs/ccvs/src/sanity.sh,v
- retrieving revision 1.1175
- retrieving revision 1.1176
- diff -u -r1.1175 -r1.1176
- --- src/sanity.sh 8 May 2007 12:35:53 -0000 1.1175
- +++ src/sanity.sh 9 May 2007 23:54:33 -0000 1.1176
- @@ -31622,7 +31622,7 @@
- willfail: :whocares
- EOF
- dotest_fail pserver-3 "$servercvs pserver" \
- -"error 0 Server configuration missing --allow-root in inetd.conf" <<EOF
- +"error 0 Server configuration missing --allow-root or --allow-root-regexp in inetd.conf" <<EOF
- BEGIN AUTH REQUEST
- $CVSROOT_DIRNAME
- testme
- @@ -31640,6 +31640,27 @@
- END AUTH REQUEST
- EOF
-
- + regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
- + dotest pserver-3b "${testcvs} --allow-root-regexp=$regexp pserver" \
- +"I LOVE YOU" <<EOF
- +BEGIN AUTH REQUEST
- +${CVSROOT_DIRNAME}
- +testme
- +Ay::'d
- +END AUTH REQUEST
- +EOF
- +
- + regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
- + dotest_fail pserver-3c "${testcvs} --allow-root-regexp=$regexp pserver" \
- +"$CPROG pserver: ${CVSROOT_DIRNAME}/subdir: no such repository
- +I HATE YOU" <<EOF
- +BEGIN AUTH REQUEST
- +${CVSROOT_DIRNAME}/subdir
- +testme
- +Ay::'d
- +END AUTH REQUEST
- +EOF
- +
- # Confirm that not sending a newline during auth cannot constitute
- # a denial-of-service attack. This assumes that PATH_MAX is less
- # than 65536 bytes. If PATH_MAX is larger than 65535 bytes, this