File cvs-Bug-1053364-disallow-dash.patch of Package cvs
@@ -615,6 +615,24 @@ parse_cvsroot (const char *root_in)
#endif /* defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT) */
+ else if (*cvsroot_copy == '-')
+ * If the first character is not a colon, it may be the start of
+ * - a username
+ * - a hostname
+ * - a pathname
+ * The syntax of a hostname is defined by RFCs 952 and 1123
+ * and it must start with a letter or a digit.
+ * According to the definition above, a path should start with a slash
+ * but even if not, there are other tools that croak upon a leading dash
+ * so you could just as well prepend a "./" if it was a relative path!
+ * But there is no clear definition of what is permissable at the start of a username
+ * and this may vary between server OSes, so we just disallow a dash.
+ error (0, 0, "CVSROOT (`%s') must not start with a dash.", cvsroot_copy);
+ goto error_exit;
/* If the method isn't specified, assume EXT_METHOD if the string looks