Hi, Am Sonntag, den 02.09.2007, 18:29 +0200 schrieb Florian Weimer: > * Joachim Breitner: > > >> This is an unfortunate interaction between scponly and Subversion, but > >> not a real bug in any of the programs. The same problem arises when a > >> scponly-restricted user uploads any form of executable contents. CGI > >> scripts are more common (and their so-called "PHP shells" which are > >> explicitly designed to exploit this). > > > > I think it’s more than that. If I upload some executable, I still have > > to find a way to actually execute it (e.g. a badly configured web > > server). Using subversion, I execute anything in _any case_, making > > scponly useless for it’s purpose. > > You need write permission on the Subversion repository. I think it's > pretty obvious that you can change the Subversion hook scripts once > you've got them. > > There are tons of programs which will lead to a similar > situation--basically anything that reads a user-specific > configuration file.
Note that every user can create a subversion repository. Greetings, Joachim -- Joachim "nomeata" Breitner Debian Developer [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
