Ticket #683: Denial of service in CVSTrac 2.0.0

http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html

Bug was introduced in [782], fixed in [850], merged to HEAD in [852].

[Append remarks]

Remarks:

2007-Jan-29 16:50:29 by cpb:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html
[Append remarks]

Properties:

Type: code           Version: 2.0.0 
Status: fixed          Created: 2007-Jan-29 13:58
Severity:          Last Change: 2007-Jan-30 12:53
Priority:          Subsystem: cvstrac 
Assigned To: cpb           Derived From: #645
Creator: rse 

Related Check-ins:

2006-Aug-16 23:02   Check-in [852]: (#645) merge [850] and [851] into HEAD. (By cpb)
2006-Aug-16 13:48   Check-in [850] on branch css-patches: (#645) tighten up the check in is_repository_file() so it actually uses the %q formatter rather than relying on %s. (By cpb)
2006-May-22 21:27   Check-in [782]: (#551) Avoid the use of "%.*q". We can safely get away with it here because we already filter the strings in other places (is_wiki_name(), isalpha(), is_eow()). (By cpb)