Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Update changes.wiki. Some eol-spacing |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
86d4754a7ad48f291d9dc1699f2dd8f6 |
User & Date: | jan.nijtmans 2017-07-03 09:31:43.204 |
Context
2017-07-03
| ||
13:54 | On the server.wiki page, point to the source code comments that describe the various CGI options. ... (check-in: a8910101 user: drh tags: trunk) | |
11:26 | On the /test_env page, show the AUTH_CONTENT and AUTH_TYPE environment variables in "cookie" mode. - On second thought, better to not show these, since they can expose passwords on screen. ... (check-in: d28cb283 user: drh tags: security-risk) | |
10:36 | Suggestion for 2.3 release: Eliminate the need for SQLITE_PREPARE_PERSISTENT, which makes fossil work with SQLite 3.19.3. ... (check-in: 1eab060a user: jan.nijtmans tags: fossil-2.3-with-older-SQLite) | |
09:31 | Update changes.wiki. Some eol-spacing ... (check-in: 86d4754a user: jan.nijtmans tags: trunk) | |
2017-07-02
| ||
18:22 | On the /test_env page, report the values of the REMOTE_USER and HTTP_AUTHENTICATION environment variables, if they exist. ... (check-in: 4207a040 user: drh tags: trunk) | |
Changes
Changes to src/diffcmd.c.
︙ | ︙ | |||
318 319 320 321 322 323 324 | text_diff(pFile1, pFile2, &out, 0, diffFlags); if( diffFlags & DIFF_NUMSTAT ){ fossil_print("%s %s\n", blob_str(&out), zName); }else{ diff_print_filenames(zName, zName, diffFlags); fossil_print("%s\n", blob_str(&out)); } | | | 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 | text_diff(pFile1, pFile2, &out, 0, diffFlags); if( diffFlags & DIFF_NUMSTAT ){ fossil_print("%s %s\n", blob_str(&out), zName); }else{ diff_print_filenames(zName, zName, diffFlags); fossil_print("%s\n", blob_str(&out)); } /* Release memory resources */ blob_reset(&out); }else{ Blob cmd; Blob temp1; Blob temp2; Blob prefix1; |
︙ | ︙ |
Changes to src/doc.c.
︙ | ︙ | |||
635 636 637 638 639 640 641 | } }else{ goto doc_not_found; } } if( isUV ){ if( db_table_exists("repository","unversioned") | | | 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 | } }else{ goto doc_not_found; } } if( isUV ){ if( db_table_exists("repository","unversioned") && unversioned_content(zName, &filebody)==0 ){ rid = 1; zDfltTitle = zName; } }else if( fossil_strcmp(zCheckin,"ckout")==0 ){ /* Read from the local checkout */ char *zFullpath; |
︙ | ︙ |
Changes to src/security_audit.c.
︙ | ︙ | |||
118 119 120 121 122 123 124 | if( db_get_boolean("redirect-to-https",0)==0 ){ @ <li><p><b>WARNING:</b> @ Login passwords can be sent over an unencrypted connection. @ <p>Fix this by activating the "Redirect to HTTPS on the Login page" @ setting on the <a href="setup_access">Access Control</a> page. } | | | | | | | | | 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | if( db_get_boolean("redirect-to-https",0)==0 ){ @ <li><p><b>WARNING:</b> @ Login passwords can be sent over an unencrypted connection. @ <p>Fix this by activating the "Redirect to HTTPS on the Login page" @ setting on the <a href="setup_access">Access Control</a> page. } /* Anonymous users should not be able to harvest email addresses ** from tickets. */ if( hasAnyCap(zAnonCap, "e") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can view email addresses and other personally @ identifiable information on tickets. @ <p>Fix this by removing the "Email" privilege from users @ "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page. } /* Anonymous users probably should not be allowed to push content ** to the repository. */ if( hasAnyCap(zAnonCap, "i") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can push new check-ins into the repository. @ <p>Fix this by removing the "Check-in" privilege from users @ "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page. } /* Anonymous users probably should not be allowed act as moderators ** for wiki or tickets. */ if( hasAnyCap(zAnonCap, "lq") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can act as moderators for wiki and/or tickets. @ This defeats the whole purpose of moderation. @ <p>Fix this by removing the "Mod-Wiki" and "Mod-Tkt" @ privilege from users "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page. } /* Anonymous users probably should not be allowed to delete ** wiki or tickets. */ if( hasAnyCap(zAnonCap, "d") ){ @ <li><p><b>WARNING:</b> @ Anonymous users can delete wiki and tickets. @ <p>Fix this by removing the "Delete" @ privilege from users "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page. } /* If anonymous users are allowed to create new Wiki, then ** wiki moderation should be activated to pervent spam. */ if( hasAnyCap(zAnonCap, "fk") ){ if( db_get_boolean("modreq-wiki",0)==0 ){ @ <li><p><b>WARNING:</b> @ Anonymous users can create or edit wiki without moderation. @ This can result in robots inserting lots of wiki spam into @ repository. @ <p>Fix this by removing the "New-Wiki" and "Write-Wiki" @ privileges from users "anonymous" and "nobody" on the @ <a href="setup_ulist">User Configuration</a> page or @ by enabling wiki moderation on the @ <a href="setup_modreq">Moderation Setup</a> page. }else{ @ <li><p> @ Anonymous users can create or edit wiki, but moderator @ approval is required before the edits become permanent. } } /* Administrative privilege should only be provided to ** specific individuals, not to entire classes of people. ** And not too many people should have administrator privilege. */ z = db_text(0, "SELECT group_concat(login,' AND ') FROM user" " WHERE cap GLOB '*[as]*'" " AND login in ('anonymous','nobody','reader','developer')"); if( z && z[0] ){ |
︙ | ︙ | |||
222 223 224 225 226 227 228 | @ Administrator privilege is granted to @ <a href='setup_ulist?with=as'>%d(n) users</a>. @ Ideally, administator privilege ('s' or 'a') should only @ be granted to one or two users. } } | | | | 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 | @ Administrator privilege is granted to @ <a href='setup_ulist?with=as'>%d(n) users</a>. @ Ideally, administator privilege ('s' or 'a') should only @ be granted to one or two users. } } /* The push-unversioned privilege should only be provided to ** specific individuals, not to entire classes of people. ** And no too many people should have this privilege. */ z = db_text(0, "SELECT group_concat(" "printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login)," "' and ')" " FROM user" " WHERE cap GLOB '*y*'" " AND login in ('anonymous','nobody','reader','developer')" ); |
︙ | ︙ | |||
290 291 292 293 294 295 296 | @ <li><p> @ The <a href="access_log">User Log</a> is disabled. The user log @ keeps a record of successful and unsucessful login attempts and is @ useful for security monitoring. } if( db_get_boolean("admin-log",0)==0 ){ @ <li><p> | | | | | | 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 | @ <li><p> @ The <a href="access_log">User Log</a> is disabled. The user log @ keeps a record of successful and unsucessful login attempts and is @ useful for security monitoring. } if( db_get_boolean("admin-log",0)==0 ){ @ <li><p> @ The <a href="admin_log">Administrative Log</a> is disabled. @ The administrative log provides a record of configuration changes @ and is useful for security monitoring. } #if !defined(_WIN32) && !defined(FOSSIL_OMIT_LOAD_AVERAGE) /* Make sure that the load-average limiter is armed and working */ if( load_average()==0.0 ){ @ <li><p> @ Unable to get the system load average. This can prevent Fossil @ from throttling expensive operations during peak demand. @ <p>If running in a chroot jail on Linux, verify that the /proc @ filesystem is mounted within the jail, so that the load average @ can be obtained from the /proc/loadavg file. }else { double r = atof(db_get("max-loadavg", "0")); if( r<=0.0 ){ @ <li><p> @ Load average limiting is turned off. This can cause the server @ to bog down if many requests for expensive services (such as @ large diffs or tarballs) arrive at about the same time. @ <p>To fix this, set the "Server Load Average Limit" on the @ <a href="setup_access">Access Control</a> page to approximately @ the number of available cores on your server, or maybe just a little @ less. }else if( r>=8.0 ){ @ <li><p> @ The "Server Load Average Limit" on the @ <a href="setup_access">Access Control</a> page is set to %g(r), @ which seems high. Is this server really a %d((int)r)-core machine? } } #endif @ </ol> style_footer(); } /* ** WEBPAGE: takeitprivate ** ** Disable anonymous access to this website |
︙ | ︙ |
Changes to src/setup.c.
︙ | ︙ | |||
179 180 181 182 183 184 185 | const char *zLogin = db_column_text(&s, 1); const char *zCap = db_column_text(&s, 2); const char *zDate = db_column_text(&s, 4); @ <tr> @ <td><a href='setup_uedit?id=%d(uid)'>%d(uid)</a> @ <td><a href='setup_uedit?id=%d(uid)'>%h(zLogin)</a> @ <td>%h(zCap) | | | 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 | const char *zLogin = db_column_text(&s, 1); const char *zCap = db_column_text(&s, 2); const char *zDate = db_column_text(&s, 4); @ <tr> @ <td><a href='setup_uedit?id=%d(uid)'>%d(uid)</a> @ <td><a href='setup_uedit?id=%d(uid)'>%h(zLogin)</a> @ <td>%h(zCap) if( fossil_strcmp(zLogin,"anonymous")==0 ){ @ <td>All logged-in users }else if( fossil_strcmp(zLogin,"developer")==0 ){ @ <td>Users with '<b>v</b>' capability }else if( fossil_strcmp(zLogin,"nobody")==0 ){ @ <td>All users without login }else if( fossil_strcmp(zLogin,"reader")==0 ){ |
︙ | ︙ |
Changes to www/changes.wiki.
1 2 3 | <title>Change Log</title> <a name='v2_3'></a> | | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 | <title>Change Log</title> <a name='v2_3'></a> <h2>Changes for Version 2.3 (2017-07-21)</h2> * Update the built-in SQLite to version 3.20.0 (beta). * Update internal Unicode character tables, used in regular expression handling, from version 9.0 to 10.0. * Show the last-sync-URL on the [/help?cmd=/urllist|/urllist] page. * Added the "Event Summary" activity report. [/reports?type=ci&view=lastchng|example] * Added the "Security Audit" page, available to administrators only * Added the Last Login time to the user list page, for administrators only |
︙ | ︙ |