[chora] change of CVSROOT lockout bug?
Akom
lists@akom2.2y.net
Tue, 20 Aug 2002 16:59:42 -0400
Hi all,
I believe I found a small issue in chora with how it handles CVSROOT's being changed on a running installation. Basically I setup the system and everything worked, and I chose the "remember last root/file" option.
Later on, I changed the CVSROOTs so that the original CVSROOT no longer exists. Chora stopped working, giving me an invalid URL (404) error.
Note this code from Chora.php:
----------------------------
31 if ($remember_last_file && !empty($last_cvsroot)) {
32 $defaultActs['rt'] = $last_cvsroot;
33 } else {
34 foreach ($cvsroots as $key => $val) {
35 if (isset($val['default']) || !isset($defaultActs['rt'])) {
36 $defaultActs['rt'] = $key;
37 }
38 }
39 }
40
41 /* See if any have been passed as GET variables, and if
42 * so, assign them into the acts array */
43 while (list($key,) = each($defaultActs)) {
44 $acts[$key] = Horde::getFormData($key, $defaultActs[$key]);
45 }
46
47 if (!isset($cvsroots[$acts['rt']])) {
48 fatal(404, 'Malformed URL');
49 }
----------------------------
So basically $acts is invalid due to $defaultActs['rt'] always being set to the contents of horde_prefs whether or not it is an existing CVSROOT.
So I deleted the two entries from horde_prefs, and everything worked.
Then, I was playing with the $conf['restrictions'] array and since all it does is remove the links from restricted elements, I tried to make a manual request to one of the forbidden items. Chora didn't fall for it, but apparently that request despite failing, set the default items in horde_prefs table again! So after that I couldn't access chora at all once again, since it was set to one of the forbidden items as default. While this may seem like a good "stop hacking" security feature, it can be annoying.
Sorry I don't have time for a patch but this should be trivial,
Thanks for the great apps,
Akom
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/