Ticket #683: Denial of service in CVSTrac 2.0.0
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html
Bug was introduced in [782], fixed in [850], merged to HEAD in [852].
Remarks:
2007-Jan-29 16:50:29 by cpb:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html
Properties:
| Type: |
code |
|
Version: |
2.0.0 |
| Status: |
fixed |
|
Created: |
2007-Jan-29 13:58 |
| Severity: |
2 |
|
Last Change: |
2007-Jan-30 12:53 |
| Priority: |
3 |
|
Subsystem: |
cvstrac |
| Assigned To: |
cpb |
|
Derived From: |
#645 |
| Creator: |
rse |
Related Check-ins:
| 2006-Aug-16 23:02 |
|
Check-in [852]: (#645) merge [850] and [851] into HEAD. (By cpb) |
| 2006-Aug-16 13:48 |
|
Check-in [850] on branch css-patches: (#645) tighten up the check in is_repository_file() so it actually uses the %q formatter rather than relying on %s. (By cpb) |
| 2006-May-22 21:27 |
|
Check-in [782]: (#551) Avoid the use of "%.*q". We can safely get away with it here because we already filter the strings in other places (is_wiki_name(), isalpha(), is_eow()). (By cpb) |