Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Change 'NO_JSON' to lowercase. Remove other branch changes that are now superfluous. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | noJsonCgiFlag |
| Files: | files | file ages | folders |
| SHA3-256: |
8baac2646c3ef6ccf70722a6cc07580d |
| User & Date: | mistachkin 2019-08-27 12:51:34 |
Context
|
2019-08-27
| ||
| 20:57 | For candidate CGI parameter names that start with an uppercase letter, convert them to lowercase and then add. (check-in: b47b6b69 user: mistachkin tags: noJsonCgiFlag) | |
| 12:51 | Change 'NO_JSON' to lowercase. Remove other branch changes that are now superfluous. (check-in: 8baac264 user: mistachkin tags: noJsonCgiFlag) | |
| 10:40 | Query and post parameters may never begin with an upper-case letter. To allow that is a huge security hole. (check-in: 72c721ea user: drh tags: noJsonCgiFlag) | |
Changes
Changes to src/cgi.c.
949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 |
char *zSemi;
int len;
const char *zRequestUri = cgi_parameter("REQUEST_URI",0);
const char *zScriptName = cgi_parameter("SCRIPT_NAME",0);
const char *zPathInfo = cgi_parameter("PATH_INFO",0);
#ifdef FOSSIL_ENABLE_JSON
int noJson = P("NO_JSON")!=0;
if( noJson==0 ){ json_main_bootstrap(); }
#endif
g.isHTTP = 1;
cgi_destination(CGI_BODY);
if( zScriptName==0 ) malformed_request("missing SCRIPT_NAME");
if( zRequestUri==0 ){
const char *z = zPathInfo;
|
| |
949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 |
char *zSemi;
int len;
const char *zRequestUri = cgi_parameter("REQUEST_URI",0);
const char *zScriptName = cgi_parameter("SCRIPT_NAME",0);
const char *zPathInfo = cgi_parameter("PATH_INFO",0);
#ifdef FOSSIL_ENABLE_JSON
int noJson = P("no_json")!=0;
if( noJson==0 ){ json_main_bootstrap(); }
#endif
g.isHTTP = 1;
cgi_destination(CGI_BODY);
if( zScriptName==0 ) malformed_request("missing SCRIPT_NAME");
if( zRequestUri==0 ){
const char *z = zPathInfo;
|
Changes to src/main.c.
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
....
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
|
** repolist When in "directory:" mode, display a page ** showing a list of available repositories if ** the URL is "/". ** ** localauth Grant administrator privileges to connections ** from 127.0.0.1 or ::1. ** ** uppercase_params Allows CGI parameter names to begin with an ** uppercase letter. ** ** skin: LABEL Use the built-in skin called LABEL rather than ** the default. If there are no skins called LABEL ** then this line is a no-op. ** ** files: GLOBLIST GLOBLIST is a comma-separated list of GLOB ** patterns that specify files that can be ** returned verbatim. This feature allows Fossil ................................................................................ ** --extroot DIR document root for the /ext extension mechanism ** --files GLOB comma-separate glob patterns for static file to serve ** --host NAME specify hostname of the server ** --https signal a request coming in via https ** --in FILE Take input from FILE instead of standard input ** --ipaddr ADDR Assume the request comes from the given IP address ** --localauth enable automatic login for local connections ** --cgiupperok Allows CGI parameter names to begin with an uppercase ** letter. ** --nocompress do not compress HTTP replies ** --nodelay omit backoffice processing if it would delay process exit ** --nojail drop root privilege but do not enter the chroot jail ** --nossl signal that no SSL connections are available ** --notfound URL use URL as "HTTP 404, object not found" page. ** --out FILE write results to FILE instead of to standard output ** --repolist If REPOSITORY is directory, URL "/" lists all repos |
<
<
<
<
<
|
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
....
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
|
** repolist When in "directory:" mode, display a page
** showing a list of available repositories if
** the URL is "/".
**
** localauth Grant administrator privileges to connections
** from 127.0.0.1 or ::1.
**
** skin: LABEL Use the built-in skin called LABEL rather than
** the default. If there are no skins called LABEL
** then this line is a no-op.
**
** files: GLOBLIST GLOBLIST is a comma-separated list of GLOB
** patterns that specify files that can be
** returned verbatim. This feature allows Fossil
................................................................................
** --extroot DIR document root for the /ext extension mechanism
** --files GLOB comma-separate glob patterns for static file to serve
** --host NAME specify hostname of the server
** --https signal a request coming in via https
** --in FILE Take input from FILE instead of standard input
** --ipaddr ADDR Assume the request comes from the given IP address
** --localauth enable automatic login for local connections
** --nocompress do not compress HTTP replies
** --nodelay omit backoffice processing if it would delay process exit
** --nojail drop root privilege but do not enter the chroot jail
** --nossl signal that no SSL connections are available
** --notfound URL use URL as "HTTP 404, object not found" page.
** --out FILE write results to FILE instead of to standard output
** --repolist If REPOSITORY is directory, URL "/" lists all repos
|
Changes to src/winhttp.c.
548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 ... 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 .... 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 .... 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 |
}
if( zFileGlob ){
blob_appendf(&options, " --files-urlenc %T", zFileGlob);
}
if( g.useLocalauth ){
blob_appendf(&options, " --localauth");
}
if( g.cgiUpperParamsOk ){
blob_appendf(&options, " --cgiupperok");
}
if( g.thTrace ){
blob_appendf(&options, " --th-trace");
}
if( flags & HTTP_SERVER_REPOLIST ){
blob_appendf(&options, " --repolist");
}
zSkin = skin_in_use();
................................................................................
**
** --localauth
**
** Enables automatic login if the --localauth option is present
** and the "localauth" setting is off and the connection is from
** localhost.
**
** --cgiupperok
**
** Allows CGI parameter names to begin with an uppercase letter.
**
** --repolist
**
** If REPOSITORY is directory, URL "/" lists all repositories.
**
** --scgi
**
** Create an SCGI server instead of an HTTP server
................................................................................
const char *zStart = find_option("start", "S", 1);
const char *zUsername = find_option("username", "U", 1);
const char *zPassword = find_option("password", "W", 1);
const char *zPort = find_option("port", "P", 1);
const char *zNotFound = find_option("notfound", 0, 1);
const char *zFileGlob = find_option("files", 0, 1);
const char *zLocalAuth = find_option("localauth", 0, 0);
const char *zCgiUpperOk = find_option("cgiupperok", 0, 0);
const char *zRepository = find_repository_option();
int useSCGI = find_option("scgi", 0, 0)!=0;
int allowRepoList = find_option("repolist",0,0)!=0;
Blob binPath;
verify_all_options();
if( g.argc==4 ){
................................................................................
if( zAltBase ) blob_appendf(&binPath, " --baseurl %s", zAltBase);
if( zPort ) blob_appendf(&binPath, " --port %s", zPort);
if( useSCGI ) blob_appendf(&binPath, " --scgi");
if( allowRepoList ) blob_appendf(&binPath, " --repolist");
if( zNotFound ) blob_appendf(&binPath, " --notfound \"%s\"", zNotFound);
if( zFileGlob ) blob_appendf(&binPath, " --files-urlenc %T", zFileGlob);
if( zLocalAuth ) blob_append(&binPath, " --localauth", -1);
if( zCgiUpperOk ) blob_append(&binPath, " --cgiupperok", -1);
blob_appendf(&binPath, " \"%s\"", g.zRepositoryName);
/* Create the service. */
hScm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if( !hScm ) winhttp_fatal("create", zSvcName, win32_get_last_errmsg());
hSvc = CreateServiceW(
hScm, /* Handle to the SCM */
fossil_utf8_to_unicode(zSvcName), /* Name of the service */
|
< < < < < < < < < |
548 549 550 551 552 553 554 555 556 557 558 559 560 561 ... 982 983 984 985 986 987 988 989 990 991 992 993 994 995 .... 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 .... 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 |
}
if( zFileGlob ){
blob_appendf(&options, " --files-urlenc %T", zFileGlob);
}
if( g.useLocalauth ){
blob_appendf(&options, " --localauth");
}
if( g.thTrace ){
blob_appendf(&options, " --th-trace");
}
if( flags & HTTP_SERVER_REPOLIST ){
blob_appendf(&options, " --repolist");
}
zSkin = skin_in_use();
................................................................................
**
** --localauth
**
** Enables automatic login if the --localauth option is present
** and the "localauth" setting is off and the connection is from
** localhost.
**
** --repolist
**
** If REPOSITORY is directory, URL "/" lists all repositories.
**
** --scgi
**
** Create an SCGI server instead of an HTTP server
................................................................................
const char *zStart = find_option("start", "S", 1);
const char *zUsername = find_option("username", "U", 1);
const char *zPassword = find_option("password", "W", 1);
const char *zPort = find_option("port", "P", 1);
const char *zNotFound = find_option("notfound", 0, 1);
const char *zFileGlob = find_option("files", 0, 1);
const char *zLocalAuth = find_option("localauth", 0, 0);
const char *zRepository = find_repository_option();
int useSCGI = find_option("scgi", 0, 0)!=0;
int allowRepoList = find_option("repolist",0,0)!=0;
Blob binPath;
verify_all_options();
if( g.argc==4 ){
................................................................................
if( zAltBase ) blob_appendf(&binPath, " --baseurl %s", zAltBase);
if( zPort ) blob_appendf(&binPath, " --port %s", zPort);
if( useSCGI ) blob_appendf(&binPath, " --scgi");
if( allowRepoList ) blob_appendf(&binPath, " --repolist");
if( zNotFound ) blob_appendf(&binPath, " --notfound \"%s\"", zNotFound);
if( zFileGlob ) blob_appendf(&binPath, " --files-urlenc %T", zFileGlob);
if( zLocalAuth ) blob_append(&binPath, " --localauth", -1);
blob_appendf(&binPath, " \"%s\"", g.zRepositoryName);
/* Create the service. */
hScm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if( !hScm ) winhttp_fatal("create", zSvcName, win32_get_last_errmsg());
hSvc = CreateServiceW(
hScm, /* Handle to the SCM */
fossil_utf8_to_unicode(zSvcName), /* Name of the service */
|