/browser does not list repositores that are symlinks
Bug #883191 reported by
j^
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Trac-Bzr |
In Progress
|
Medium
|
Martin von Gagern | ||
Bug Description
pointing bzr to a folder with symlinks to repositores /browser is empty
accessing repositories directly via /browser/repo/ works, they also show up in [[Branches]]
(this is with trac/tracbzr from ubuntu 11.10)
Related branches
lp:~gagern/trac-bzr/bug883191
(Merged)
Revision history for this message
| Martin von Gagern (gagern) wrote | #1 |
| Changed in trac-bzr: | |
| assignee: | nobody → Martin von Gagern (gagern) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
To post a comment you must log in.
lp:~gagern/trac-bzr/bug883191 has a fix for the core of this problem. bzrlib local transport only does an lstat, not a stat, so it doesn't treat a symlink to a directory like a directory. As long as trac keeps that policy, we'll have to read symlinks ourselve and iterate over them to the real target.
The branch still requires some form of loop detection, but apart from that, it should work well enough. Please give it a try before I merge it into trunk.
As the code doesn't check that symlinks stay inside a given directory tree, there are some security problems if people were allowed to generate symlinks on your system, but as you say that knowing the name of a symlink allows access even with the current setup, and also considering that trac-bzr will not transfer the content of unversioned files, I guess that there should be no serious security problems introduced by this change. And restricting symlinks to a given tree would seriously limit their uses.