<<< Date Index >>>     <<< Thread Index >>>

Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type fixation issue



Moritz Naumann wrote:

> I recommend that users and distributors of earlier ViewVC and ViewCVS
> versions should either backport the patch which disables the 'checkout
> view' or the one which makes it optional and deactivate it by default.
> A less simple but less restrictive patch would introduce a content type
> whitelisting approach.

Backporting this change will be overkill, I think.  It includes
configuration bits for toggling enablement of various ViewVC views.  For
most folks, though, this is one of those configure-once-and-never-look-back
items.  So, it might be easier to just hard-code the disablement.  You can
do this by tweaking the function view_checkout() (found in lib/viewvc.py or
lib/viewcvs.py, depending on which software you're running) to raise an
Exception.  Psuedo-patch for ViewVC:

   def view_checkout(request):
  +    raise debug.ViewVCException('Checkout view is disabled',
  +                                '403 Forbidden')

or for ViewCVS:

   def view_checkout(request):
  +    raise debug.ViewCVSException('Checkout view is disabled',
  +                                 '403 Forbidden')

-- 
C. Michael Pilato <cmpilato@xxxxxxxxxx>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Attachment: signature.asc
Description: OpenPGP digital signature