viewvc security flaw?

[Josh Bressers <bressers () redhat com>]

I'm not sure about this one, I'm wondering if someone else has an opinion:
http://viewvc.tigris.org/issues/show_bug.cgi?id=354

It was submitted as a Fedora security update, which I'm letting through for
now, as better safe than sorry.

To sum it up, it looks like the mime type used to display a given file in
viewvc can be set via the URL.  Obviously this means that an attacker could
force an arbitrary mime type on any file in a viewvc repository.

It strikes me as not crossing a trust boundary though, as I suspect you'd need
something malicious in the repo in order for this to really be useful.  If the
bad guys can already add arbitrary content, you have bigger problems.

-- 
    JB