+Changes since 1.12.13:
+**********************
+
+* many which are only documented in MirBSD CVS
+
+* A new command line option, --allow-root-regexp, was added which allows
+ acceptable repositories to be specified using a list of regular expressions.
+
Changes since 1.12.12:
**********************
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61-MirPorts-1 for Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.6.
+# Generated by GNU Autoconf 2.61-MirPorts-1 for Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.7.
#
# Report bugs to <miros-discuss@mirbsd.org>.
#
# Identity of this package.
PACKAGE_NAME='Concurrent Versions System (CVS)'
PACKAGE_TARNAME='cvs'
-PACKAGE_VERSION='1.12.13-MirOS-0AB7.6'
-PACKAGE_STRING='Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.6'
+PACKAGE_VERSION='1.12.13-MirOS-0AB7.7'
+PACKAGE_STRING='Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.7'
PACKAGE_BUGREPORT='miros-discuss@mirbsd.org'
ac_unique_file="src/cvs.h"
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.6 to adapt to many kinds of systems.
+\`configure' configures Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.6:";;
+ short | recursive ) echo "Configuration of Concurrent Versions System (CVS) 1.12.13-MirOS-0AB7.7:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Concurrent Versions System (CVS) configure 1.12.13-MirOS-0AB7.6
+Concurrent Versions System (CVS) configure 1.12.13-MirOS-0AB7.7
generated by GNU Autoconf 2.61-MirPorts-1
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Concurrent Versions System (CVS) $as_me 1.12.13-MirOS-0AB7.6, which was
+It was created by Concurrent Versions System (CVS) $as_me 1.12.13-MirOS-0AB7.7, which was
generated by GNU Autoconf 2.61-MirPorts-1. Invocation command line was
$ $0 $@
# Define the identity of the package.
PACKAGE='cvs'
- VERSION='1.12.13-MirOS-0AB7.6'
+ VERSION='1.12.13-MirOS-0AB7.7'
# Some tools Automake needs.
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Concurrent Versions System (CVS) $as_me 1.12.13-MirOS-0AB7.6, which was
+This file was extended by Concurrent Versions System (CVS) $as_me 1.12.13-MirOS-0AB7.7, which was
generated by GNU Autoconf 2.61-MirPorts-1. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-Concurrent Versions System (CVS) config.status 1.12.13-MirOS-0AB7.6
+Concurrent Versions System (CVS) config.status 1.12.13-MirOS-0AB7.7
configured by $0, generated by GNU Autoconf 2.61-MirPorts-1,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
-dnl $MirOS: src/gnu/usr.bin/cvs/configure.in,v 1.25 2016/11/09 03:04:12 tg Exp $
+dnl $MirOS: src/gnu/usr.bin/cvs/configure.in,v 1.26 2017/01/08 19:43:51 tg Exp $
dnl
dnl configure.in for cvs
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.])
-AC_INIT([Concurrent Versions System (CVS)],[1.12.13-MirOS-0AB7.6],
+AC_INIT([Concurrent Versions System (CVS)],[1.12.13-MirOS-0AB7.7],
[miros-discuss@mirbsd.org],[cvs])
AC_CONFIG_SRCDIR(src/cvs.h)
AM_INIT_AUTOMAKE([gnu 1.9.2 dist-bzip2 no-define])
-.\" $MirOS: src/gnu/usr.bin/cvs/doc/cvs.man.footer,v 1.3 2016/10/22 14:12:50 tg Exp $
+.\" $MirOS: src/gnu/usr.bin/cvs/doc/cvs.man.footer,v 1.6 2017/01/08 19:42:05 tg Exp $
.SH "AUTHORS"
.TP
Dick Grune
And many others too numerous to mention here.
.SH "SEE ALSO"
The most comprehensive manual for CVS is
-Version Management with CVS by Per Cederqvist et al. Depending on
-your system, you may be able to get it with the
-.B info CVS
-command or it may be available as cvs.pdf (Portable Document Format),
-cvs.ps (PostScript), cvs.texinfo (Texinfo source), or cvs.html.
+Version Management with CVS by Per Cederqvist et al. (see
+.I NOTE
+at top).
.SP
For CVS updates, more information on documentation, software related
to CVS, development of CVS, and more, see:
.PD 0
.IP "" 4
.B http://www.nongnu.org/cvs/
-.in -1i
.SP
.BR ci ( 1 ),
.BR co ( 1 ),
.BR rcsdiff ( 1 ),
.BR rcsintro ( 1 ),
.BR rcsmerge ( 1 ),
-.BR rlog ( 1 ).
+.BR rlog ( 1 ),
+.BR re_format ( 7 ).
@comment Documentation for CVS.
@setfilename cvs.info
@afourpaper
-@comment $MirOS: src/gnu/usr.bin/cvs/doc/cvs.texinfo,v 1.27 2016/11/08 23:04:32 tg Exp $
+@comment $MirOS: src/gnu/usr.bin/cvs/doc/cvs.texinfo,v 1.28 2017/01/08 19:13:00 tg Exp $
@macro copyleftnotice
@noindent
Copyright @copyright{} 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
@item @tab Copyright @copyright{} 2003, 2004, 2005, 2007, 2009, 2010, 2011,
2013, 2014, 2015, 2016
mirabilos, The MirOS Project
-@item @tab Copyright @copyright{} 1999, 2000, 2001, 2002, 2003, 2004, 2005
+@item @tab Copyright @copyright{} 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+ 2007
Derek R. Price,
@item @tab Copyright @copyright{} 2002, 2003, 2004, 2005
Ximbiot @url{http://ximbiot.com},
The @samp{--allow-root} option specifies the allowable
@sc{cvsroot} directory. Clients which attempt to use a
different @sc{cvsroot} directory will not be allowed to
-connect. If there is more than one @sc{cvsroot}
-directory which you want to allow, repeat the option.
+connect. To allow a whole class of @sc{cvsroot}, specify
+a POSIX extended regular expression to match allowed
+directories with the @samp{--allow-root-regexp} option.
+These options may be used in conjunction, and both options
+may be repeated to allow access to multiple @sc{cvsroot}
+directories and classes of directories.
(Unfortunately, many versions of @code{inetd} have very small
limits on the number of arguments and/or the total length
of the command. The usual solution to this problem is
to have @code{inetd} run a shell script which then invokes
@sc{cvs} with the necessary arguments.)
- If your @code{inetd} wants a symbolic service
+If your @code{inetd} wants a symbolic service
name instead of a raw port number, then put this in
@file{/etc/services}:
for the Berkeley mdoc macro processing.
@example
-$Mdocdate: November 8 2016 $
+$Mdocdate: January 8 2017 $
@end example
@cindex Header keyword
@table @code
@item --allow-root=@var{rootdir}
-Specify legal @sc{cvsroot} directory (server only) (not
-in @sc{cvs} 1.9 and older). See @ref{Password
+Specify acceptable @sc{cvsroot} directory (server only).
+Appeared in @sc{cvs} 1.10. See @ref{Password
authentication server}.
+@item --allow-root-regexp=@var{rootdir}
+Specify a POSIX extended regular expression which matches acceptable
+@sc{cvsroot} directories (server only). Appeared in @sc{cvs}
+1.12.14. See @ref{Password authentication server}.
+
@item -a
Authenticate all communication (client only) (not in @sc{cvs}
1.9 and older). See @ref{Global options}.
specific reason for denying authorization. Check that
the username and password specified are correct and
that the @code{CVSROOT} specified is allowed by @samp{--allow-root}
+or @samp{--allow-root-regexp}
in @file{inetd.conf}. See @ref{Password authenticated}.
@item cvs @var{command}: conflict: removed @var{file} was modified by second party
uint32_t arc4random(void);
#endif
-__RCSID("$MirOS: src/gnu/usr.bin/cvs/src/main.c,v 1.21 2016/11/08 23:04:37 tg Exp $");
+__RCSID("$MirOS: src/gnu/usr.bin/cvs/src/main.c,v 1.22 2017/01/08 19:13:05 tg Exp $");
const char *program_name;
const char *program_path;
{"help-options", 0, NULL, 4},
#ifdef SERVER_SUPPORT
{"allow-root", required_argument, NULL, 3},
+ {"allow-root-regexp", required_argument, NULL, 14},
#endif /* SERVER_SUPPORT */
{0, 0, 0, 0}
};
/* --allow-root */
root_allow_add (optarg, gConfigPath);
break;
+ case 14:
+ /* --allow-root-regexp */
+ root_allow_regexp_add (optarg, gConfigPath);
+ break;
#endif /* SERVER_SUPPORT */
case 'Q':
really_quiet = 1;
#include <assert.h>
#include "getline.h"
-__RCSID("$MirOS: src/gnu/usr.bin/cvs/src/root.c,v 1.10 2011/06/11 00:39:38 tg Exp $");
+__RCSID("$MirOS: src/gnu/usr.bin/cvs/src/root.c,v 1.11 2017/01/08 19:13:05 tg Exp $");
/* Printable names for things in the current_parsed_root->method enum variable.
Watch out if the enum is changed in cvs.h! */
directories. Then we can check against them when a remote user
hands us a CVSROOT directory. */
static List *root_allow;
+static List *root_allow_regexp;
static void
delconfig (Node *n)
}
void
+root_allow_regexp_add (const char *arg, const char *configPath)
+{
+ Node *n;
+
+ if (!root_allow_regexp) root_allow_regexp = getlist();
+ n = getnode();
+ n->key = xstrdup (arg);
+
+ /* This is a regexp, not the final cvsroot path - we cannot attach
+ it a config. So we attach configPath and we'll root_allow_add()
+ the actual, matching root in root_allow_compare_regexp() */
+ n->data = (void*)configPath;
+
+ addnode (root_allow_regexp, n);
+}
+
+void
root_allow_free (void)
{
dellist (&root_allow);
+ dellist (&root_allow_regexp);
}
int
root_allow_used (void)
{
- return (root_allow != NULL);
+ return root_allow || root_allow_regexp;
+}
+
+/* walklist() callback for determining if 'root_to_check' matches
+ n->key (a regexp). If yes, 'root_to_check' will be added as if
+ directly specified through --allow-root.
+ */
+static int
+root_allow_compare_regexp (Node *n, void *root_to_check)
+{
+ int status;
+ regex_t re;
+
+ if (regcomp(&re, n->key,
+ REG_EXTENDED|REG_NOSUB) != 0)
+ {
+ return 0; /* report error? */
+ }
+ status = regexec(&re, root_to_check, (size_t) 0, NULL, 0);
+ regfree(&re);
+ if (status == 0)
+ {
+ /* n->data contains gConfigPath */
+ root_allow_add (root_to_check, n->data);
+ return 1;
+ }
+ return 0;
}
bool
root_allow_ok (const char *arg)
{
- if (!root_allow)
+ if (!root_allow_used())
{
/* Probably someone upgraded from CVS before 1.9.10 to 1.9.10
or later without reading the documentation about
back "error" rather than waiting for the next request which
expects responses. */
printf ("\
-error 0 Server configuration missing --allow-root in inetd.conf\n");
+error 0 Server configuration missing --allow-root or --allow-root-regexp in inetd.conf\n");
exit (EXIT_FAILURE);
}
+ /* Look for 'arg' in the list of full-path allowed roots */
if (findnode (root_allow, arg))
return true;
+
+ /* Match 'arg' against the list of allowed roots regexps */
+ if (walklist (root_allow_regexp, root_allow_compare_regexp, (void*)arg))
+ return true;
+
return false;
}
-/* $MirOS: src/gnu/usr.bin/cvs/src/root.h,v 1.4 2011/06/11 00:24:06 tg Exp $ */
+/* $MirOS: src/gnu/usr.bin/cvs/src/root.h,v 1.5 2017/01/08 19:13:05 tg Exp $ */
/*
* Copyright (C) 1986-2005 The Free Software Foundation, Inc.
__attribute__ ((__malloc__));
void Create_Root (const char *dir, const char *rootdir);
void root_allow_add (const char *, const char *configPath);
+void root_allow_regexp_add (const char *, const char *configPath);
void root_allow_free (void);
bool root_allow_ok (const char *);
int root_allow_used (void);
#! /bin/sh
:
-# $MirOS: src/gnu/usr.bin/cvs/src/sanity.sh,v 1.5 2016/11/08 23:04:37 tg Exp $
+# $MirOS: src/gnu/usr.bin/cvs/src/sanity.sh,v 1.7 2017/01/08 21:14:34 tg Exp $
#-
# set DISABLE_ANY_RSH=1 to skip rsh and ssh calls
#
willfail: :whocares
EOF
dotest_fail pserver-3 "$servercvs pserver" \
-"error 0 Server configuration missing --allow-root in inetd.conf" <<EOF
+"error 0 Server configuration missing --allow-root or --allow-root-regexp in inetd.conf" <<EOF
BEGIN AUTH REQUEST
$CVSROOT_DIRNAME
testme
END AUTH REQUEST
EOF
+ regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
+ dotest pserver-3b "${testcvs} --allow-root-regexp=$regexp pserver" \
+"I LOVE YOU" <<EOF
+BEGIN AUTH REQUEST
+${CVSROOT_DIRNAME}
+testme
+Ay::'d
+END AUTH REQUEST
+EOF
+
+ regexp='^'`dirname ${CVSROOT_DIRNAME}`'/[^/]+$'
+ dotest_fail pserver-3c "${testcvs} --allow-root-regexp=$regexp pserver" \
+"$CPROG \\[pserver aborted\\]: ${CVSROOT_DIRNAME}/subdir: no such repository" <<EOF
+BEGIN AUTH REQUEST
+${CVSROOT_DIRNAME}/subdir
+testme
+Ay::'d
+END AUTH REQUEST
+EOF
+
# Confirm that not sending a newline during auth cannot constitute
# a denial-of-service attack. This assumes that PATH_MAX is less
# than 65536 bytes. If PATH_MAX is larger than 65535 bytes, this
projects / alioth / cvs.git / commitdiff