Mantis - Squeak
Viewing Issue Advanced Details
7617 www.squeak.org block always 03-21-11 02:15 03-21-11 02:17
matthewf  
 
urgent  
new  
open  
none    
none  
0007617: Monticello versions in SqueakSource can be overwritten
When uploading a .mcz file to SqueakSource, it apparently does no check to see if something is already there by that name, and overwrites it. This is a huge security hole. It means that anybody on the internet with a WebDav client could erase or alter the development history of any open repository (Squeak or pharo inboxes, for instance), and any rogue committer could do it for critical repositories (trunk, pharo).

Short of malice, this can also be done accidentally, and recently happened on the VMMaker project: http://lists.squeakfoundation.org/pipermail/vm-dev/2011-March/007222.html [^]

There are no notes attached to this issue.