Closed Bug 187230 Opened 18 years ago Closed 18 years ago

[SECURITY] Physical path to files revealed in error messages

Categories

(Webtools Graveyard :: Bonsai, defect)

defect
Not set
blocker

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: justdave, Assigned: tara)

References

()

Details

Attachments

(1 file)

See the URL for bugtraq posting.

"Currently we are not aware of any vendor-supplied patches for this issue. If
you feel we are in error or are aware of more recent information, please mail us
at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>."

not setting security flag because this is already publicly disclosed.
Status: NEW → ASSIGNED
In the case of the error message in cvsview2.cgi, I've removed the CVSROOT
information, which creates the potential hazard, but left the relative path to
the path/dir itself alone.

In multidiff.cgi, I've stripped full patch information returned by rcs diff and
left just the file name.
Comment on attachment 117011 [details] [diff] [review]
removing fully qualified path information from public display

the indentation of multidiff is bad - tabs
Attachment #117011 - Flags: review+
Checked in the patch.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.