File cvs-Bug-1053364-disallow-dash.patch of Package cvs

Index: cvs-1.12.12/src/root.c
===================================================================
--- cvs-1.12.12.orig/src/root.c
+++ cvs-1.12.12/src/root.c
@@ -615,6 +615,24 @@ parse_cvsroot (const char *root_in)
 	}
 #endif /* defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT) */
     }
+    else if (*cvsroot_copy == '-')
+    {
+	/*
+	 * If the first character is not a colon, it may be the start of
+	 * - a username
+	 * - a hostname
+	 * - a pathname
+	 * The syntax of a hostname is defined by RFCs 952 and 1123
+	 * and it must start with a letter or a digit.
+	 * According to the definition above, a path should start with a slash
+	 * but even if not, there are other tools that croak upon a leading dash
+	 * so you could just as well prepend a "./" if it was a relative path!
+	 * But there is no clear definition of what is permissable at the start of a username
+	 * and this may vary between server OSes, so we just disallow a dash.
+	 */
+	error (0, 0, "CVSROOT (`%s') must not start with a dash.", cvsroot_copy);
+	goto error_exit;
+    }
     else
     {
 	/* If the method isn't specified, assume EXT_METHOD if the string looks