Status

--
critical
RESOLVED FIXED
15 years ago
2 years ago

People

(Reporter: sbwoodside, Assigned: justdave)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

15 years ago
I can't browse the tree in bonsai. The first two levels are OK, but the third
level seems to fall back to the first.
Steps to reproduce please?

What did you click on in what order?
(Reporter)

Comment 2

15 years ago
To reproduce, click on the URL provided above.

Expected output: A list of directories that are inside mozilla/xpfe, e.g.,

AppCores/              apprunner/             components/            tools/
CVS/                   appshell/              global/                widgets/
Makefile               bootstrap/             macbuild/              xpviewer/
Makefile.in            browser/               main/
appfilelocprovider/    communicator/          test/

Actual result: A list of directories that are in cvsroot.
Confirmed.  Actually affects all third-level directories in all branches that
are listed.

This is major enough I'm sure someone would have noticed already if it had been
around a while.  What changed on bonsai recently?
Tara fixed a security hole last week with directory traversal.  I can't find a
bug for it though.
Created attachment 130324 [details] [diff] [review]
Patch

someone forgot to escape the dots in the regexp.

Guess what a dot does in a regexp? :)
This has already been applied manually on bonsai.mozilla.org because I had a
desperate need to use it tonight. :)
Attachment #130324 - Flags: review?(tara)

Updated

15 years ago
Attachment #130324 - Flags: review?(tara) → review+

Comment 7

15 years ago
yeah, there was never a bug that I filed on that security issue, I just sent an
e-mail to staff@mozilla.org and security@mozilla.org.  Since the issue is fixed,
the problem was that ../ could be used to move higher than the CVS root which
shouldn't be allowed.  There is still an issue with ./.. as the directory.  I
don't think the fix was ever checked into the bonsai for gila either.
OS: MacOS X → All

Updated

15 years ago
Assignee: tara → justdave

Comment 8

15 years ago
mozilla/webtools/bonsai/rview.cgi 	1.20
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.