Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Enhance security audit to warn about giving hyperlink privilege to user nobody. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
5999d2446b6c43c359a818b84dd7bd75 |
User & Date: | drh 2022-02-11 15:26:58 |
Context
2022-02-11
| ||
15:40 | Better hyperlinks on the security-audit warning about the server load average setting. ... (check-in: e5c05437 user: drh tags: trunk) | |
15:26 | Enhance security audit to warn about giving hyperlink privilege to user nobody. ... (check-in: 5999d244 user: drh tags: trunk) | |
14:57 | Fix mis-coded HTML on the /setup_access page. ... (check-in: ecab8f43 user: drh tags: trunk) | |
Changes
Changes to src/security_audit.c.
︙ | ︙ | |||
142 143 144 145 146 147 148 | @ should <a href="takeitprivate">take this repository private</a> @ and/or disable self-registration @ immediately! Or, at least remove the Setup and Admin privileges @ from the default permissions for new users. }else if( hasAnyCap(zAnonCap,"y") ){ @ <li><p>This repository is <big><b>INSECURE</b></big> because @ it allows anonymous users to push unversioned files. | | | | 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 | @ should <a href="takeitprivate">take this repository private</a> @ and/or disable self-registration @ immediately! Or, at least remove the Setup and Admin privileges @ from the default permissions for new users. }else if( hasAnyCap(zAnonCap,"y") ){ @ <li><p>This repository is <big><b>INSECURE</b></big> because @ it allows anonymous users to push unversioned files. @ Fix this by <a href="takeitprivate">taking the repository private</a> @ or by removing the "y" permission from users "anonymous" and @ "nobody" on the <a href="setup_ulist">User Configuration</a> page. }else if( hasAnyCap(zSelfCap,"y") ){ @ <li><p>This repository is <big><b>INSECURE</b></big> because @ it allows self-registered users to push unversioned files. @ Fix this by <a href="takeitprivate">taking the repository private</a> @ or by removing the "y" permission from the default permissions or @ by disabling self-registration. }else if( hasAnyCap(zAnonCap,"goz") ){ @ <li><p>This repository is <big><b>PUBLIC</b></big>. All @ checked-in content can be accessed by anonymous users. @ <a href="takeitprivate">Take it private</a>.<p> }else if( hasAnyCap(zSelfCap,"goz") && hasSelfReg ){ |
︙ | ︙ | |||
238 239 240 241 242 243 244 | /* Make sure the HTTPS is required for login, at least, so that the ** password does not go across the Internet in the clear. */ if( db_get_int("redirect-to-https",0)==0 ){ @ <li><p><b>WARNING:</b> @ Sensitive material such as login passwords can be sent over an @ unencrypted connection. | | | 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 | /* Make sure the HTTPS is required for login, at least, so that the ** password does not go across the Internet in the clear. */ if( db_get_int("redirect-to-https",0)==0 ){ @ <li><p><b>WARNING:</b> @ Sensitive material such as login passwords can be sent over an @ unencrypted connection. @ Fix this by changing the "Redirect to HTTPS" setting on the @ <a href="setup_access">Access Control</a> page. If you were using @ the old "Redirect to HTTPS on Login Page" setting, switch to the @ new setting: it has a more secure implementation. } #ifdef FOSSIL_ENABLE_TH1_DOCS /* The use of embedded TH1 is dangerous. Warn if it is possible. |
︙ | ︙ | |||
280 281 282 283 284 285 286 | /* Anonymous users should not be able to harvest email addresses ** from tickets. */ if( hasAnyCap(zAnonCap, "e") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can view email addresses and other personally @ identifiable information on tickets. | | | | | 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 | /* Anonymous users should not be able to harvest email addresses ** from tickets. */ if( hasAnyCap(zAnonCap, "e") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can view email addresses and other personally @ identifiable information on tickets. @ Fix this by removing the "Email" privilege @ (<a href="setup_ucap_list">capability "e"</a>) from users @ "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page. } /* Anonymous users probably should not be allowed to push content ** to the repository. */ if( hasAnyCap(zAnonCap, "i") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can push new check-ins into the repository. @ Fix this by removing the "Check-in" privilege @ (<a href="setup_ucap_list">capability</a> "i") from users @ "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page. } /* Anonymous users probably should not be allowed act as moderators ** for wiki or tickets. */ if( hasAnyCap(zAnonCap, "lq5") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can act as moderators for wiki, tickets, or @ forum posts. This defeats the whole purpose of moderation. @ Fix this by removing the "Mod-Wiki", "Mod-Tkt", and "Mod-Forum" @ privileges (<a href="%R/setup_ucap_list">capabilities</a> "fq5") @ from users "anonymous" and "nobody" @ on the <a href="setup_ulist">User Configuration</a> page. } /* Check to see if any TH1 scripts are configured to run on a sync */ |
︙ | ︙ | |||
468 469 470 471 472 473 474 475 476 477 478 | @ <p><b>Caution:</b> @ The "Write-Unver" privilege ('y') is granted to an excessive @ number of users (%d(n)). @ Ideally, the Write-Unver privilege should only @ be granted to one or two users. } } /* Notify if REMOTE_USER or HTTP_AUTHENTICATION is used for login. */ if( db_get_boolean("remote_user_ok", 0) ){ | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | | | | | 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 | @ <p><b>Caution:</b> @ The "Write-Unver" privilege ('y') is granted to an excessive @ number of users (%d(n)). @ Ideally, the Write-Unver privilege should only @ be granted to one or two users. } } /* Providing hyperlink capability to user "nobody" can lead to robots ** making excessive requests resulting in DoS */ if( db_exists("SELECT 1 FROM user WHERE login='nobody' AND cap GLOB '*h*'") ){ int nobodyId = db_int(0,"SELECT uid FROM user WHERE login='nobody'"); int anonId = db_int(0, "SELECT uid FROM user WHERE login='anonymous' AND cap NOT GLOB '*h*'"); @ <li><p> @ User "nobody" has "Hyperlink" privilege ('h') which can lead to @ robots walking a nearly endless progression of pages on public-facing @ repositories, causing excessive server load and possible DoS. @ Suggested remediation: @ <ol type="a"> @ <li>Remove the 'h' privilege from the @ <a href="%R/setup_uedit?id=%d(nobodyId)">'nobody' user</a> so that @ robots cannot see hyperlinks. @ <li>Activate <a href="%R/setup_access#autoh">autohyperlink</a> so that @ human readers can still see hyperlinks even if they are not logged in. @ Require mouse movement before enabling hyperlinks and set the @ delay to at least 50 milliseconds. if( anonId>0 ){ @ <li>Perhaps set the 'h' privilege on the @ <a href="%R/setup_uedit?id=%d(anonId)">'anonymous' user</a> so @ that humans that have javascript disabled in their browsers can @ still see hyperlinks if they will log in as "anonymous". } @ </ol> } /* Notify if REMOTE_USER or HTTP_AUTHENTICATION is used for login. */ if( db_get_boolean("remote_user_ok", 0) ){ @ <li><p><b>Caution:</b> @ This repository trusts that the REMOTE_USER environment variable set @ up by the webserver contains the name of an authenticated user. @ Fossil's built-in authentication mechanism is bypassed. @ Fix this by deactivating the "Allow REMOTE_USER authentication" @ checkbox on the <a href="setup_access">Access Control</a> page. } if( db_get_boolean("http_authentication_ok", 0) ){ @ <li><p><b>Caution:</b> @ This repository trusts that the HTTP_AUTHENITICATION environment @ variable set up by the webserver contains the name of an @ authenticated user. @ Fossil's built-in authentication mechanism is bypassed. @ Fix this by deactivating the "Allow HTTP_AUTHENTICATION authentication" @ checkbox on the <a href="setup_access">Access Control</a> page. } /* Logging should be turned on */ if( db_get_boolean("access-log",0)==0 ){ @ <li><p> |
︙ | ︙ | |||
510 511 512 513 514 515 516 | #if !defined(_WIN32) && !defined(FOSSIL_OMIT_LOAD_AVERAGE) /* Make sure that the load-average limiter is armed and working */ if( load_average()==0.0 ){ @ <li><p> @ Unable to get the system load average. This can prevent Fossil @ from throttling expensive operations during peak demand. | | | | 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 | #if !defined(_WIN32) && !defined(FOSSIL_OMIT_LOAD_AVERAGE) /* Make sure that the load-average limiter is armed and working */ if( load_average()==0.0 ){ @ <li><p> @ Unable to get the system load average. This can prevent Fossil @ from throttling expensive operations during peak demand. @ If running in a chroot jail on Linux, verify that the /proc @ filesystem is mounted within the jail, so that the load average @ can be obtained from the /proc/loadavg file. }else { double r = atof(db_get("max-loadavg", 0)); if( r<=0.0 ){ @ <li><p> @ Load average limiting is turned off. This can cause the server @ to bog down if many requests for expensive services (such as @ large diffs or tarballs) arrive at about the same time. @ To fix this, set the "Server Load Average Limit" on the @ <a href="setup_access">Access Control</a> page to approximately @ the number of available cores on your server, or maybe just a little @ less. }else if( r>=8.0 ){ @ <li><p> @ The "Server Load Average Limit" on the @ <a href="setup_access">Access Control</a> page is set to %g(r), |
︙ | ︙ |
Changes to src/setup.c.
︙ | ︙ | |||
457 458 459 460 461 462 463 464 465 466 467 468 469 470 | @ computer is too large. Set the threshold for disallowing expensive @ computations here. Set this to 0.0 to disable the load average limit. @ This limit is only enforced on Unix servers. On Linux systems, @ access to the /proc virtual filesystem is required, which means this limit @ might not work inside a chroot() jail. @ (Property: "max-loadavg")</p> @ <hr /> onoff_attribute( "Enable hyperlinks for \"nobody\" based on User-Agent and Javascript", "auto-hyperlink", "autohyperlink", 1, 0); @ <p>Enable hyperlinks (the equivalent of the "h" permission) for all users, @ including user "nobody", as long as @ <ol><li>the User-Agent string in the | > | 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 | @ computer is too large. Set the threshold for disallowing expensive @ computations here. Set this to 0.0 to disable the load average limit. @ This limit is only enforced on Unix servers. On Linux systems, @ access to the /proc virtual filesystem is required, which means this limit @ might not work inside a chroot() jail. @ (Property: "max-loadavg")</p> @ <a id="autoh"></a> @ <hr /> onoff_attribute( "Enable hyperlinks for \"nobody\" based on User-Agent and Javascript", "auto-hyperlink", "autohyperlink", 1, 0); @ <p>Enable hyperlinks (the equivalent of the "h" permission) for all users, @ including user "nobody", as long as @ <ol><li>the User-Agent string in the |
︙ | ︙ |