Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Enhance the security-audit page to detect insecurities resulting from having self-registration enabled. This is a work in progress. More testing and more checks are needed in this area. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
724ccc46f2cba9ae5196a89a01c950bb |
User & Date: | drh 2018-10-17 23:53:54.851 |
Context
2018-10-19
| ||
22:12 | Use a signed type to avoid an infinite loop in socket_send(); socket_receive() is already fine. ... (check-in: d0fa9eee user: andybradford tags: trunk) | |
2018-10-17
| ||
23:53 | Enhance the security-audit page to detect insecurities resulting from having self-registration enabled. This is a work in progress. More testing and more checks are needed in this area. ... (check-in: 724ccc46 user: drh tags: trunk) | |
2018-10-12
| ||
16:14 | Fix a comment on the "html" and "puts" TH1 commands. Before this fix, the meanings of the two commands were reversed. ... (check-in: 35563f3d user: drh tags: trunk) | |
Changes
Changes to src/security_audit.c.
︙ | ︙ | |||
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | ** ** Run a security audit of the current Fossil setup. ** This page requires administrator access */ void secaudit0_page(void){ const char *zAnonCap; /* Capabilities of user "anonymous" and "nobody" */ const char *zPubPages; /* GLOB pattern for public pages */ char *z; int n; login_check_credentials(); if( !g.perm.Setup && !g.perm.Admin ){ login_needed(0); return; } style_header("Security Audit"); @ <ol> /* Step 1: Determine if the repository is public or private. "Public" ** means that any anonymous user on the internet can access all content. ** "Private" repos require (non-anonymous) login to access all content, ** though some content may be accessible anonymously. */ zAnonCap = db_text("", "SELECT fullcap(NULL)"); zPubPages = db_get("public-pages",0); if( hasAnyCap(zAnonCap,"as") ){ @ <li><p>This repository is <big><b>Wildly INSECURE</b></big> because @ it grants administrator privileges to anonymous users. You @ should <a href="takeitprivate">take this repository private</a> @ immediately! Or, at least remove the Setup and Admin privileges @ for users "anonymous" and "login" on the @ <a href="setup_ulist">User Configuration</a> page. }else if( hasAnyCap(zAnonCap,"y") ){ @ <li><p>This repository is <big><b>INSECURE</b></big> because @ it allows anonymous users to push unversioned files. @ <p>Fix this by <a href="takeitprivate">taking the repository private</a> @ or by removing the "y" permission from users "anonymous" and @ "nobody" on the <a href="setup_ulist">User Configuration</a> page. }else if( hasAnyCap(zAnonCap,"goz") ){ @ <li><p>This repository is <big><b>PUBLIC</b></big>. All @ checked-in content can be accessed by anonymous users. @ <a href="takeitprivate">Take it private</a>.<p> }else if( !hasAnyCap(zAnonCap, "jrwy234567") && (zPubPages==0 || zPubPages[0]==0) ){ @ <li><p>This repository is <big><b>Completely PRIVATE</b></big>. @ A valid login and password is required to access any content. }else{ @ <li><p>This repository is <big><b>Mostly PRIVATE</b></big>. @ A valid login and password is usually required, however some | > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > | | | | 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 | ** ** Run a security audit of the current Fossil setup. ** This page requires administrator access */ void secaudit0_page(void){ const char *zAnonCap; /* Capabilities of user "anonymous" and "nobody" */ const char *zPubPages; /* GLOB pattern for public pages */ const char *zSelfCap; /* Capabilities of self-registered users */ char *z; int n; login_check_credentials(); if( !g.perm.Setup && !g.perm.Admin ){ login_needed(0); return; } style_header("Security Audit"); @ <ol> /* Step 1: Determine if the repository is public or private. "Public" ** means that any anonymous user on the internet can access all content. ** "Private" repos require (non-anonymous) login to access all content, ** though some content may be accessible anonymously. */ zAnonCap = db_text("", "SELECT fullcap(NULL)"); zPubPages = db_get("public-pages",0); if( db_get_boolean("self-register",0) ){ CapabilityString *pCap; pCap = capability_add(0, db_get("default-perms","")); capability_expand(pCap); zSelfCap = capability_string(pCap); capability_free(pCap); }else{ zSelfCap = fossil_strdup(""); } if( hasAnyCap(zAnonCap,"as") ){ @ <li><p>This repository is <big><b>Wildly INSECURE</b></big> because @ it grants administrator privileges to anonymous users. You @ should <a href="takeitprivate">take this repository private</a> @ immediately! Or, at least remove the Setup and Admin privileges @ for users "anonymous" and "login" on the @ <a href="setup_ulist">User Configuration</a> page. }else if( hasAnyCap(zSelfCap,"as") ){ @ <li><p>This repository is <big><b>Wildly INSECURE</b></big> because @ it grants administrator privileges to self-registered users. You @ should <a href="takeitprivate">take this repository private</a> @ and/or disable self-registration @ immediately! Or, at least remove the Setup and Admin privileges @ from the default permissions for new users. }else if( hasAnyCap(zAnonCap,"y") ){ @ <li><p>This repository is <big><b>INSECURE</b></big> because @ it allows anonymous users to push unversioned files. @ <p>Fix this by <a href="takeitprivate">taking the repository private</a> @ or by removing the "y" permission from users "anonymous" and @ "nobody" on the <a href="setup_ulist">User Configuration</a> page. }else if( hasAnyCap(zSelfCap,"y") ){ @ <li><p>This repository is <big><b>INSECURE</b></big> because @ it allows self-registered users to push unversioned files. @ <p>Fix this by <a href="takeitprivate">taking the repository private</a> @ or by removing the "y" permission from the default permissions or @ by disabling self-registration. }else if( hasAnyCap(zAnonCap,"goz") ){ @ <li><p>This repository is <big><b>PUBLIC</b></big>. All @ checked-in content can be accessed by anonymous users. @ <a href="takeitprivate">Take it private</a>.<p> }else if( hasAnyCap(zSelfCap,"goz") ){ @ <li><p>This repository is <big><b>PUBLIC</b></big> because all @ checked-in content can be accessed by self-registered users. @ This repostory would be private if you disabled self-registration.</p> }else if( !hasAnyCap(zAnonCap, "jrwy234567") && !hasAnyCap(zSelfCap, "jrwy234567") && (zPubPages==0 || zPubPages[0]==0) ){ @ <li><p>This repository is <big><b>Completely PRIVATE</b></big>. @ A valid login and password is required to access any content. }else{ @ <li><p>This repository is <big><b>Mostly PRIVATE</b></big>. @ A valid login and password is usually required, however some @ content can be accessed either anonymously or by self-registered @ users: @ <ul> if( hasAnyCap(zAnonCap,"j") || hasAnyCap(zSelfCap,"j") ){ @ <li> Wiki pages } if( hasAnyCap(zAnonCap,"r") || hasAnyCap(zSelfCap,"r") ){ @ <li> Tickets } if( hasAnyCap(zAnonCap,"234567") || hasAnyCap(zSelfCap,"234567") ){ @ <li> Forum posts } if( zPubPages && zPubPages[0] ){ Glob *pGlob = glob_create(zPubPages); int i; @ <li> URLs that match any of these GLOB patterns: @ <ul> |
︙ | ︙ | |||
422 423 424 425 426 427 428 429 430 431 432 433 434 435 | } if( P("apply") ){ db_multi_exec( "UPDATE user SET cap=''" " WHERE login IN ('nobody','anonymous');" "DELETE FROM config WHERE name='public-pages';" ); cgi_redirect("secaudit0"); } style_header("Make This Website Private"); @ <p>Click the "Make It Private" button below to disable all @ anonymous access to this repository. A valid login and password @ will be required to access this repository after clicking that @ button.</p> | > | 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 | } if( P("apply") ){ db_multi_exec( "UPDATE user SET cap=''" " WHERE login IN ('nobody','anonymous');" "DELETE FROM config WHERE name='public-pages';" ); db_set("self-register","0",0); cgi_redirect("secaudit0"); } style_header("Make This Website Private"); @ <p>Click the "Make It Private" button below to disable all @ anonymous access to this repository. A valid login and password @ will be required to access this repository after clicking that @ button.</p> |
︙ | ︙ |