bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security Breach Alert - CVS Home File Download Area Compromised

From: Bernd Petrovitsch
Subject: RE: Security Breach Alert - CVS Home File Download Area Compromised
Date: 2005年1月26日 10:15:39 +0100 
On Tue, 2005年01月25日 at 22:45 -0800, Conrad T. Pino wrote:
> > From: Larry Jones
> > Many browsers will automagically unzip the file without removing the .gz
> > from the file name -- that may be all that's going on.
>
> I'd buy this concept if it were a consistent behavior.
>
> When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I get
> file sizes consistent with values on download page and a PGP signature check
> reports a valid file.
>
> I'm still unable to download "*.gz.sig" for binaries with Internet Explorer
> 6 and the same download with Netscape 4.8 saves a zero length file.
Strange.
> Working your idea a bit further, the file received with Internet Explorer 6
> is the exact size and content of the uncompressed original which says "magic"
> is taking place but I'm not sure it's client side magic because I expect the
> client side "magic" to work against all servers and that's not currently true.
>
> I get "magic" behavior with:
Which files/URLs exactly?
> https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92 
With the .gz Files?
> and many other binary areas on CVS home but no "magic" with
> https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0 
With the .bz2 files?
> and no "magic" with
> http://jakarta.apache.org/site/binindex.cgi 
> either.
The web server may send MIME-Types and similar stuff with the delivered
file. The browser may interpret the MIME-Type and do something on it
(automatically or after asking the user or not at all or ...).
---- snip ----
{5}wget -S
'https://ccvs.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz'
--10:09:46-- 
[...]
10 Content-Type: text/plain
11 Content-Encoding: x-gzip
---- snip ----
Assuming a "yes" on the above questions, I guess that IE (or whatever
HTTP-client you use) may handle .gz now and ignores .bz2.
And the client side behaviour should be configurable (for exactly the
reason you mentioned - checking md5 hashes) or you throw the HTTP-client
in the litter box.
 Bernd
-- 
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
 Embedded Linux Development and Services
reply via email to
[Prev in Thread] Current Thread [Next in Thread]

AltStyle によって変換されたページ (->オリジナル) /