diff -ruN cvs-1.12.9-old/doc/cvs.texinfo cvs-1.12.9/doc/cvs.texinfo --- cvs-1.12.9-old/doc/cvs.texinfo 2004-12-09 22:54:56.000000000 +0100 +++ cvs-1.12.9/doc/cvs.texinfo 2004-12-09 22:59:54.000000000 +0100 @@ -2398,6 +2398,10 @@ different @sc{cvsroot} directory will not be allowed to connect. If there is more than one @sc{cvsroot} directory which you want to allow, repeat the option. +If there is a whole class of @sc{cvsroot} +directories which you want to allow, you can also specify a +regular expression with the @samp{--allow-root-regexp} +option. This option is repeatable, too. (Unfortunately, many versions of @code{inetd} have very small limits on the number of arguments and/or the total length of the command. The usual solution to this problem is @@ -8062,6 +8066,10 @@ Specify legal @sc{cvsroot} directory. See @ref{Password authentication server}. address@hidden address@hidden +Specify legal @sc{cvsroot} directories. See address@hidden authentication server}. + @cindex Authentication, stream @cindex Stream authentication @item -a @@ -11365,6 +11373,12 @@ in @sc{cvs} 1.9 and older). See @ref{Password authentication server}. address@hidden address@hidden +Specify a regular expression to be matched by legal address@hidden directories (server only) (not in @sc{cvs} +1.11.1 and older). See @ref{Password authentication +server}. + @item -a Authenticate all communication (client only) (not in @sc{cvs} 1.9 and older). See @ref{Global options}. @@ -14460,7 +14474,8 @@ pserver server which chooses not to provide a specific reason for denying authorization. Check that the username and password specified are correct and -that the @code{CVSROOT} specified is allowed by @samp{--allow-root} +that the @code{CVSROOT} specified is allowed by address@hidden or @samp{--allow-root-regexp} in @file{inetd.conf}. See @ref{Password authenticated}. @item cvs @var{command}: conflict: removed @var{file} was modified by second party diff -ruN cvs-1.12.9-old/NEWS cvs-1.12.9/NEWS --- cvs-1.12.9-old/NEWS 2004-12-09 22:54:57.000000000 +0100 +++ cvs-1.12.9/NEWS 2004-12-09 22:59:54.000000000 +0100 @@ -574,6 +574,10 @@ should only really affect developers. See the section of the INSTALL file about using the autotools if you are compiling CVS yourself. +* A new command line option, --allow-root-regexp, was added. It +allows to specify a list of regular expressions for the repositories +locations, in addition to the list of exact paths. + Changes from 1.11.1 to 1.11.1p1: * Read only access was broken - now fixed. diff -ruN cvs-1.12.9-old/src/ChangeLog cvs-1.12.9/src/ChangeLog --- cvs-1.12.9-old/src/ChangeLog 2004-12-09 22:54:56.000000000 +0100 +++ cvs-1.12.9/src/ChangeLog 2004-12-09 23:03:04.000000000 +0100 @@ -1,3 +1,17 @@ +2004-12-09 Roland Mas + + * root.c: Added new functions root_allow_regexp_add and + root_allow_regewp_ok, new variables root_allow_regexp_count, + root_allow_regexp_vector and root_allow_regexp_size. + + * server.c (pserver_authenticate_connection): Use new + root_allow_regexp function. + + * main.c (main): Use new root_allow_regexp_add function, declare + new --allow-root-regexp option parameter. + + * NEWS: Documented these changes. + 2004-06-09 Derek Price * commit.c, filesubr.c, history.c, server.c, wrapper.c: Various diff -ruN cvs-1.12.9-old/src/cvs.h cvs-1.12.9/src/cvs.h --- cvs-1.12.9-old/src/cvs.h 2004-12-09 22:54:56.000000000 +0100 +++ cvs-1.12.9/src/cvs.h 2004-12-09 23:07:57.000000000 +0100 @@ -447,8 +447,10 @@ __attribute__ ((__malloc__)); void Create_Root (const char *dir, const char *rootdir); void root_allow_add (char *); +void root_allow_regexp_add (char *); void root_allow_free (void); int root_allow_ok (char *); +int root_allow_regexp_ok (char *); void set_default_pam_user (char *); char *previous_rev (RCSNode *rcs, const char *rev); diff -ruN cvs-1.12.9-old/src/main.c cvs-1.12.9/src/main.c --- cvs-1.12.9-old/src/main.c 2004-12-09 22:54:56.000000000 +0100 +++ cvs-1.12.9/src/main.c 2004-12-09 23:14:35.000000000 +0100 @@ -439,6 +439,7 @@ {"help-synonyms", 0, NULL, 2}, {"help-options", 0, NULL, 4}, {"allow-root", required_argument, NULL, 3}, + {"allow-root-regexp", required_argument, NULL, 6}, #ifdef HAVE_PAM {"default-pam-user", required_argument, NULL, 5}, #endif @@ -556,6 +557,10 @@ /* --allow-root */ root_allow_add (optarg); break; + case 6: + /* --allow-root-regexp */ + root_allow_regexp_add (optarg); + break; #ifdef HAVE_PAM case 5: /* --default-pam-user */ diff -ruN cvs-1.12.9-old/src/root.c cvs-1.12.9/src/root.c --- cvs-1.12.9-old/src/root.c 2004-12-09 22:54:56.000000000 +0100 +++ cvs-1.12.9/src/root.c 2004-12-09 23:28:43.000000000 +0100 @@ -181,6 +181,10 @@ static char **root_allow_vector; static int root_allow_size; +static int root_allow_regexp_count; +static char **root_allow_regexp_vector; +static int root_allow_regexp_size; + void root_allow_add (char *arg) { @@ -221,11 +225,53 @@ } void +root_allow_regexp_add (char *arg) +{ + char *p; + + if (root_allow_regexp_size <= root_allow_regexp_count) + { + if (root_allow_regexp_size == 0) + { + root_allow_regexp_size = 1; + root_allow_regexp_vector = + (char **) xmalloc (root_allow_regexp_size * sizeof (char *)); + } + else + { + root_allow_regexp_size *= 2; + root_allow_regexp_vector = + (char **) xrealloc (root_allow_regexp_vector, + root_allow_regexp_size * sizeof (char *)); + } + + if (root_allow_regexp_vector == NULL) + { + no_memory: + /* Strictly speaking, we're not supposed to output anything + now. But we're about to exit(), give it a try. */ + printf ("E Fatal server error, aborting.\n\ +error ENOMEM Virtual memory exhausted.\n"); + + exit (EXIT_FAILURE); + } + } + p = xmalloc (strlen (arg) + 1); + if (p == NULL) + goto no_memory; + strcpy (p, arg); + root_allow_regexp_vector[root_allow_regexp_count++] = p; +} + +void root_allow_free (void) { if (root_allow_vector != NULL) free_names (&root_allow_count, root_allow_vector); root_allow_size = 0; + if (root_allow_regexp_vector != NULL) + free_names (&root_allow_regexp_count, root_allow_regexp_vector); + root_allow_regexp_size = 0; } int @@ -233,7 +279,7 @@ { int i; - if (root_allow_count == 0) + if (root_allow_count == 0 && root_allow_regexp_count == 0) { /* Probably someone upgraded from CVS before 1.9.10 to 1.9.10 or later without reading the documentation about @@ -250,12 +296,29 @@ } for (i = 0; i < root_allow_count; ++i) - if (strcmp (root_allow_vector[i], arg) == 0) - return 1; + if (strcmp (root_allow_vector[i], arg) == 0) + return 1; return 0; } +int +root_allow_regexp_ok (char *arg) +{ + int i, status; + regex_t re; + for (i = 0; i < root_allow_regexp_count; ++i) { + if (regcomp(&re, root_allow_regexp_vector[i], + REG_EXTENDED|REG_NOSUB) != 0) { + return 0; /* report error */ + } + status = regexec(&re, arg, (size_t) 0, NULL, 0); + regfree(&re); + if (status == 0) + return 1; + } + return 0; +} /* This global variable holds the global -d option. It is NULL if -d was not used, which means that we must get the CVSroot information Les fichiers binaires cvs-1.12.9-old/src/.root.c.rej.swp et cvs-1.12.9/src/.root.c.rej.swp sont différents. diff -ruN cvs-1.12.9-old/src/server.c cvs-1.12.9/src/server.c --- cvs-1.12.9-old/src/server.c 2004-12-09 22:54:56.000000000 +0100 +++ cvs-1.12.9/src/server.c 2004-12-09 22:59:54.000000000 +0100 @@ -6049,7 +6049,7 @@ { error (1, 0, "bad auth protocol end: %s", tmp); } - if (!root_allow_ok (repository)) + if (!root_allow_ok (repository) && !root_allow_regexp_ok (repository)) { printf ("error 0 %s: no such repository\n", repository); #ifdef HAVE_SYSLOG_H