Closed Bug 187230 Opened 18 years ago Closed 18 years ago
[SECURITY] Physical path to files revealed in error messages
See the URL for bugtraq posting. "Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: email@example.com <mailto:firstname.lastname@example.org>." not setting security flag because this is already publicly disclosed.
In the case of the error message in cvsview2.cgi, I've removed the CVSROOT information, which creates the potential hazard, but left the relative path to the path/dir itself alone. In multidiff.cgi, I've stripped full patch information returned by rcs diff and left just the file name.
Comment on attachment 117011 [details] [diff] [review] removing fully qualified path information from public display the indentation of multidiff is bad - tabs
Attachment #117011 - Flags: review+
Checked in the patch.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.