[squeak-dev] Security Vunerability in SqueakSource
Sven Van Caekenberghe
sven at beta9.be
Mon Mar 21 11:23:04 UTC 2011
On 21 Mar 2011, at 11:20, Bert Freudenberg wrote:
> SqueakSource is simply a WebDAV server. All the versioning logic is local, implemented in Monticello, so allowing overwrites is not really SqueakSource's "fault". Besides, even if SqueakSource disallowed overwriting a version (which it probably should) nothing would prevent somebody else to upload a *new* version that did something bad.
Yes versioning/naming is local and distributed, that is a feature. One cannot rely on the name alone.
However, it is most certainly a bug that a server happily overwrites existing versions, a version control system should never do that.
Your other points a valid, of course.
More information about the Squeak-dev