File cvs-Bug-1053364-disallow-dash.patch of Package cvs
Index: cvs-1.12.12/src/root.c
===================================================================
--- cvs-1.12.12.orig/src/root.c
+++ cvs-1.12.12/src/root.c
@@ -615,6 +615,24 @@ parse_cvsroot (const char *root_in)
}
#endif /* defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT) */
}
+ else if (*cvsroot_copy == '-')
+ {
+ /*
+ * If the first character is not a colon, it may be the start of
+ * - a username
+ * - a hostname
+ * - a pathname
+ * The syntax of a hostname is defined by RFCs 952 and 1123
+ * and it must start with a letter or a digit.
+ * According to the definition above, a path should start with a slash
+ * but even if not, there are other tools that croak upon a leading dash
+ * so you could just as well prepend a "./" if it was a relative path!
+ * But there is no clear definition of what is permissable at the start of a username
+ * and this may vary between server OSes, so we just disallow a dash.
+ */
+ error (0, 0, "CVSROOT (`%s') must not start with a dash.", cvsroot_copy);
+ goto error_exit;
+ }
else
{
/* If the method isn't specified, assume EXT_METHOD if the string looks