Closed Bug 200798 Opened 22 years ago Closed 9 years ago

CVS should be able to talk to bonsai using http.

Categories

(Webtools Graveyard :: Bonsai, enhancement)

Product:
Webtools Graveyard
Component:
Bonsai
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: rperrot, Assigned: tara)

Details

Attachments

(1 file, 1 obsolete file)

Add CVS to Bonsai comunication by HTTP protocol
3.93 KB, patch
cls
: review-
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030327 Debian/1.3-4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030327 Debian/1.3-4 It is quite difficult to configure Bonsai mail server (MTA/MDA) and CVS to make Bonsai register CVS action. To have this working you need configure the mail server to pipe mail to a bonsai script and for that you either have to give right to the mail user to access for reading or for writing some bonsai file or you need to configure the mail server to run the Bonsai script as the usual bonsai user. But as we already have a web server that run CGI with good right it would be easy to write a CGI that handle checking send by an improved version of dolog.pl. Reproducible: Always Steps to Reproduce:
This patch needs a security review at least. I also got an Apache error : malformed header from script. Bad header=C|1049550933|jetto|/var/lib/cv: /usr/lib/cgi-bin/bonsai/handleCheckin.cgi Don't worry about path, this a Debian version.
This one fix the header bug. To use it in a standard Bonsai install, you will need to a change path in handleChecking.cgi. This patch need a strong security review as it may introduce cross site scripting bug.
Attachment #119565 - Attachment is obsolete: true
this isn't consistent w/ the file: + } + elsif ($arg eq '-h') {
Summary: CVS should be able to talk to bonsia using http. → CVS should be able to talk to bonsai using http.
Comment on attachment 120388 [details] [diff] [review] Add CVS to Bonsai comunication by HTTP protocol >+++ bonsai-1.3+cvs20030317/bonsai/handleCheckin.cgi >+# The contents of this file are subject to the Netscape Public >+# License Version 1.1 (the "License"); you may not use this file >+# except in compliance with the License. You may obtain a copy of >+# the License at http://www.mozilla.org/NPL/ i'm not sure this is the right license >+# The Initial Developer of the Original Code is Netscape Communications >+# Corporation. Portions created by Netscape are >+# Copyright (C) 1998 Netscape Communications Corporation. All >+# Rights Reserved. is this really the initial developer you want to select?
Attachment #120388 - Flags: review?(cls)
Comment on attachment 120388 [details] [diff] [review] Add CVS to Bonsai comunication by HTTP protocol Obviously, the hardcoded bonsai paths have to go. The patch needs to be updated to handle the changes from bug 244801. I don't like the idea of the cgi being open and exploitable by anyone. I suppose we have the same general vulnerability with the mail solution but at least you can configure smtp to only listen on localhost. At a minimum, we should have a referer check here. Another issue to consider is that when using http, the bonsai update is no longer asynchronous. The cvs checkin will wait until the http_notification returns. This may cause a noticable increase in checkin times if the server is loaded. And you have to make certain that none of the processes called by addcheckin.pl attempt to do any rcs commands on the file being checked in otherwise the entire checkin will hang because of the rcs lock. Just overstating the (not so) obvious.
Attachment #120388 - Flags: review?(cls) → review-
QA Contact: timeless → bonsai
Bonsai was decommissioned, closing all remaining bugs "wontfix"
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: