Anonymous committed 2398fb3

Updated release notes for 0.7.4.

Comments (0)

Files changed (1)


 * Tarball units also need an _get_user method
+Transifex 0.7.4 (Xorn)
+Transifex 0.7.4 release, codenamed Xorn_, is a security release which
+fixes one issue when users are allowed to administrate their own projects.
+  January 22, 2010
+  6 files changed, 116 insertions(+), 17 deletions(-)
+Affected releases:
+  This security issue affects instances running the 0.7.x branch only. The
+  previous versions only allowed administrators to modify projects.
+Prior to this release, a project maintainer could define a special URL which
+Transifex has access to, but resides on the filesystem. This
+way users could gain unauthorized access to local versioned repositories on the
+Transifex server. This applied to distributed VCSs and can be accomplished by
+defining the correct local path as the repository URL
+(eg. ``/transifex/local_repos/git/...``).
+The allowed repository root URLs are now limited to specific prefixes, such as
+``ssh://`` and ``http://``, via a validator which verifies that the URL has a
+correct prefix. The list of allowed prefixes is a white list and is defined in
+the vcs-related config files, ``settings/60-vcs.conf`` and
+Additionally, a new basic validation has been added, which does not allow the
+use of repositories which have been registered to other projects.
+Transifex instances which are affected are those allowing users to add their
+own projects (``project_add`` permission open) or are using project
+maintainers instead of site-wide admins only.
+This release adds a new configuration option: ``ALLOWED_REPOSITORY_PREFIXES``.
 Transifex 0.7 Release Candidates
 .. _Pyro:
 .. _Frenzy:
 .. _Quicksilver:
+.. _Xorn:
 .. _Basilisk:
 .. _Fedora EPEL:
 .. _Google Translate API: