[squeak-dev] Security Vunerability in SqueakSource

Sven Van Caekenberghe sven at beta9.be
Mon Mar 21 11:23:04 UTC 2011

On 21 Mar 2011, at 11:20, Bert Freudenberg wrote:

> SqueakSource is simply a WebDAV server. All the versioning logic is local, implemented in Monticello, so allowing overwrites is not really SqueakSource's "fault". Besides, even if SqueakSource disallowed overwriting a version (which it probably should) nothing would prevent somebody else to upload a *new* version that did something bad.

Yes versioning/naming is local and distributed, that is a feature. One cannot rely on the name alone.
However, it is most certainly a bug that a server happily overwrites existing versions, a version control system should never do that.

Your other points a valid, of course.


More information about the Squeak-dev mailing list