Moritz Naumann wrote: > I recommend that users and distributors of earlier ViewVC and ViewCVS > versions should either backport the patch which disables the 'checkout > view' or the one which makes it optional and deactivate it by default. > A less simple but less restrictive patch would introduce a content type > whitelisting approach. Backporting this change will be overkill, I think. It includes configuration bits for toggling enablement of various ViewVC views. For most folks, though, this is one of those configure-once-and-never-look-back items. So, it might be easier to just hard-code the disablement. You can do this by tweaking the function view_checkout() (found in lib/viewvc.py or lib/viewcvs.py, depending on which software you're running) to raise an Exception. Psuedo-patch for ViewVC: def view_checkout(request): + raise debug.ViewVCException('Checkout view is disabled', + '403 Forbidden') or for ViewCVS: def view_checkout(request): + raise debug.ViewCVSException('Checkout view is disabled', + '403 Forbidden') -- C. Michael Pilato <cmpilato@xxxxxxxxxx> CollabNet <> www.collab.net <> Distributed Development On Demand
Attachment:
signature.asc
Description: OpenPGP digital signature