• Jeff King's avatar
    shell: drop git-cvsserver support by default · 9a42c03c
    Jeff King authored
    The git-cvsserver script is old and largely unmaintained
    these days. But git-shell allows untrusted users to run it
    out of the box, significantly increasing its attack surface.
    
    Let's drop it from git-shell's list of internal handlers so
    that it cannot be run by default.  This is not backwards
    compatible. But given the age and development activity on
    CVS-related parts of Git, this is likely to impact very few
    users, while helping many more (i.e., anybody who runs
    git-shell and had no intention of supporting CVS).
    
    There's no configuration mechanism in git-shell for us to
    add a boolean and flip it to "off". But there is a mechanism
    for adding custom commands, and adding CVS support here is
    fairly trivial. Let's document it to give guidance to
    anybody who really is still running cvsserver.
    Signed-off-by: default avatarJeff King <peff@peff.net>
    Signed-off-by: default avatarJunio C Hamano <gitster@pobox.com>
    9a42c03c
shell.c 4.53 KB