Fossil User Forum

/file?name=... looses name parameter via ”Checking to see if you are a robot”
Login

/file?name=... looses name parameter via ”Checking to see if you are a robot”

Chronological

/file?name=... looses name parameter via "Checking to see if you are a robot"

(1) By MG (mgr) on 2025-10-27 11:02:36 [link] [source]

When accessing a /file URL as "nobody", the name parameter gets lost by the "All clear [OK]" form after the hop through "Checking to see if you are a robot".

See e.g. the one from a previous post of mine https://fossil-scm.org/home/file?udc=1&ci=trunk&name=src/tar.c&ln=71-90 which ends up on https://fossil-scm.org/home/file?ci=trunk&ln=71-90&udc=1&proof=...

One a related note, the same URL with /docfile: https://fossil-scm.org/home/docfile?udc=1&ci=trunk&name=src/tar.c&ln=71-90 does not trigger "Checking to see if you are a robot". Whereas the (according to the docs) equivalent /file?brief does https://fossil-scm.org/home/file?brief&udc=1&ci=trunk&name=src/tar.c&ln=71-90. And obisously looses the name parameter as described above.

Interestingly, in the /file/path/to/file.txt form, it passes through: https://fossil-scm.org/home/file/src/tar.c?udc=1&ci=trunk&ln=71-90

(2) By Andy Bradford (andybradford) on 2025-10-27 13:13:02 in reply to 1 [link] [source] 

Yes, I noticed the parameter getting lost and reported it here:

https://fossil-scm.org/forum/forumpost/cdb6e1a2564d925f

I haven't yet had a chance to investigate.

(3) By MG (mgr) on 2025-10-27 13:42:02 in reply to 2 [link] [source]

Right - did not see that one. Seems like Stephans note about 'name beeing special' matches with my observation that it does not happen in the /file/path/to/some form.

It is caused by https://fossil-scm.org/home/file/src/robot.c?ln=214, where 'name' gets explicitly blocked. Introduced by the commit Do not duplicate the "name" query parameter in the robot.c captcha..

(4.1) By MG (mgr) on 2025-10-27 21:04:40 edited from 4.0 in reply to 3 [source]

Maybe do that (remove the "name" parameter) only if it is not derived from the path.

A short version checking for a non-empty g.zExtra seems to fix it:

Index: src/robot.c
==================================================================
--- src/robot.c
+++ src/robot.c
@@ -209,11 +209,11 @@
   @ <form method="GET" id="x6"><p>
   @ <span id="x3" style="visibility:hidden;">\
   @ Press <input type="submit" id="x5" value="Ok" focus> to continue</span>
   @ <span id="x7" style="visibility:hidden;">You appear to be a robot.</span>\
   @ </p>
-  cgi_tag_query_parameter("name");
+  if( g.zExtra!=0 && g.zExtra[0]!=0 ) cgi_tag_query_parameter("name");
   cgi_query_parameters_to_hidden();
   @ <input id="x4" type="hidden" name="proof" value="0">
   @ </form>
   @ <script nonce='%s(style_nonce())'>
   @ function aaa(x){return document.getElementById(x);}\

Please test, my C is pretty rusty.

(5) By Andy Bradford (andybradford) on 2025-11-14 22:12:48 in reply to 4.1 [link] [source] 

> (remove the "name" parameter) only if it is not derived from the path.

A similar change has been committed to trunk:

https://fossil-scm.org/home/info/96fab06a2237c5ef

(6) By MG (mgr) on 2025-11-19 12:30:42 in reply to 5 [link] [source]

thanks - seems to work just fine now