Index: cvs-1.12.12/src/root.c =================================================================== --- cvs-1.12.12.orig/src/root.c +++ cvs-1.12.12/src/root.c @@ -615,6 +615,24 @@ parse_cvsroot (const char *root_in) } #endif /* defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT) */ } + else if (*cvsroot_copy == '-') + { + /* + * If the first character is not a colon, it may be the start of + * - a username + * - a hostname + * - a pathname + * The syntax of a hostname is defined by RFCs 952 and 1123 + * and it must start with a letter or a digit. + * According to the definition above, a path should start with a slash + * but even if not, there are other tools that croak upon a leading dash + * so you could just as well prepend a "./" if it was a relative path! + * But there is no clear definition of what is permissable at the start of a username + * and this may vary between server OSes, so we just disallow a dash. + */ + error (0, 0, "CVSROOT (`%s') must not start with a dash.", cvsroot_copy); + goto error_exit; + } else { /* If the method isn't specified, assume EXT_METHOD if the string looks