Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Allow remote commands of the form "*/fossil.exe" on the "ssh:" protocol. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
8f70ccaac82d0e30e00158841d1715f1 |
| User & Date: | drh 2019-09-25 13:28:54.088 |
Context
|
2019-09-25
| ||
| 13:45 | Fix the test-http command so that it omits line-ending conversions. This allows the ssh: clone/sync method to work with a windows server. ... (check-in: 28b15b48 user: drh tags: trunk) | |
| 13:28 | Allow remote commands of the form "*/fossil.exe" on the "ssh:" protocol. ... (check-in: 8f70ccaa user: drh tags: trunk) | |
|
2019-09-24
| ||
| 23:29 | Performance optimizations in the markdown formatter. ... (check-in: ef41fbfa user: drh tags: trunk) | |
Changes
Changes to src/http_transport.c.
| ︙ | ︙ | |||
78 79 80 81 82 83 84 |
/*
** Check zFossil to see if it is a reasonable "fossil" command to
** run on the server. Do not allow an attacker to substitute something
** like "/bin/rm".
*/
static int is_safe_fossil_command(const char *zFossil){
| | | 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
/*
** Check zFossil to see if it is a reasonable "fossil" command to
** run on the server. Do not allow an attacker to substitute something
** like "/bin/rm".
*/
static int is_safe_fossil_command(const char *zFossil){
static const char *const azSafe[] = { "*/fossil", "*/fossil.exe", "*/echo" };
int i;
for(i=0; i<sizeof(azSafe)/sizeof(azSafe[0]); i++){
if( sqlite3_strglob(azSafe[i], zFossil)==0 ) return 1;
if( strcmp(azSafe[i]+2, zFossil)==0 ) return 1;
}
return 0;
}
|
| ︙ | ︙ |