Fossil

Changes On Branch security-risk
Login

Changes On Branch security-risk

Hide Diff Patch Unified Diff

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Changes In Branch security-risk Excluding Merge-Ins

This is equivalent to a diff from 86d4754a to d407e22f

2017-07-03
13:54
On the server.wiki page, point to the source code comments that describe the various CGI options. ... (check-in: a8910101 user: drh tags: trunk)
13:48
On the server.wiki page, point to the source code comments that describe the various CGI options. ... (Closed-Leaf check-in: d407e22f user: drh tags: security-risk)
11:26
On the /test_env page, show the AUTH_CONTENT and AUTH_TYPE environment variables in "cookie" mode. - On second thought, better to not show these, since they can expose passwords on screen. ... (check-in: d28cb283 user: drh tags: security-risk)
10:36
Suggestion for 2.3 release: Eliminate the need for SQLITE_PREPARE_PERSISTENT, which makes fossil work with SQLite 3.19.3. ... (check-in: 1eab060a user: jan.nijtmans tags: fossil-2.3-with-older-SQLite)
09:31
Update changes.wiki. Some eol-spacing ... (check-in: 86d4754a user: jan.nijtmans tags: trunk)
2017-07-02
18:22
On the /test_env page, report the values of the REMOTE_USER and HTTP_AUTHENTICATION environment variables, if they exist. ... (check-in: 4207a040 user: drh tags: trunk)

Changes to src/style.c. 

1620
1621
1622
1623
1624
1625
1626




1627
1628
1629
1630
1631
1632
1633

  if( i>0 ){
    @ anonymous-adds = %s(zCap)<br />
  }
  @ g.zRepositoryName = %h(g.zRepositoryName)<br />
  @ load_average() = %f(load_average())<br />
  @ <hr />
  P("HTTP_USER_AGENT");




  cgi_print_all(showAll);
  if( showAll && blob_size(&g.httpHeader)>0 ){
    @ <hr />
    @ <pre>
    @ %h(blob_str(&g.httpHeader))
    @ </pre>
  }








>
>
>
>








1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637

  if( i>0 ){
    @ anonymous-adds = %s(zCap)<br />
  }
  @ g.zRepositoryName = %h(g.zRepositoryName)<br />
  @ load_average() = %f(load_average())<br />
  @ <hr />
  P("HTTP_USER_AGENT");
  if( showAll ){
    P("AUTH_CONTENT");
    P("AUTH_TYPE");
  }
  cgi_print_all(showAll);
  if( showAll && blob_size(&g.httpHeader)>0 ){
    @ <hr />
    @ <pre>
    @ %h(blob_str(&g.httpHeader))
    @ </pre>
  }

Changes to www/server.wiki. 

174
175
176
177
178
179
180

181
182
183
184
185
186
187
188

It may be necessary to set permissions properly, or to modify an ".htaccess"
file or make other server-specific changes.  Consult the documentation
for your particular web server. In particular, the following permissions are
<em>normally</em> required (but, again, may be different for a particular
configuration):

<ul>

<li>The Fossil binary must be readable/executable, and ALL directories leading up to it
must be readable by the process which executes the CGI.</li>
<li>ALL directories leading to the CGI script must also be readable and the CGI
script itself must be executable for the user under which it will run (which often differs
from the one running the web server - consult your site's documentation or administrator).</li>
<li>The repository file AND the directory containing it must be writable by the same account
which executes the Fossil binary (again, this might differ from the WWW user). The directory
needs to be writable so that sqlite can write its journal files.</li>








>
|








174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

It may be necessary to set permissions properly, or to modify an ".htaccess"
file or make other server-specific changes.  Consult the documentation
for your particular web server. In particular, the following permissions are
<em>normally</em> required (but, again, may be different for a particular
configuration):

<ul>
<li>The Fossil binary (/usr/bin/fossil in the example above)
must be readable/executable, and ALL directories leading up to it
must be readable by the process which executes the CGI.</li>
<li>ALL directories leading to the CGI script must also be readable and the CGI
script itself must be executable for the user under which it will run (which often differs
from the one running the web server - consult your site's documentation or administrator).</li>
<li>The repository file AND the directory containing it must be writable by the same account
which executes the Fossil binary (again, this might differ from the WWW user). The directory
needs to be writable so that sqlite can write its journal files.</li>

211
212
213
214
215
216
217





218
219
220
221
222
223
224

notfound: http://url-to-go-to-if-repo-not-found/
</pre></blockquote>
</p>
<p>
Once deployed, a URL like: <b>http://mydomain.org/cgi-bin/repo/XYZ</b>
will serve up the repository "/home/fossil/repos/XYZ.fossil" (if it exists).
</p>





</blockquote>

<a name="scgi"></a>
<h2>Fossil as SCGI</h2><blockquote>

<p>
The [/help/server|fossil server] command, described above as a way of








>
>
>
>
>








212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230

notfound: http://url-to-go-to-if-repo-not-found/
</pre></blockquote>
</p>
<p>
Once deployed, a URL like: <b>http://mydomain.org/cgi-bin/repo/XYZ</b>
will serve up the repository "/home/fossil/repos/XYZ.fossil" (if it exists).
</p>
<p>
Additional options available to the CGI script are documented in the
source code.  As of 2017-07-02, the available options are described at
[/artifact/9a52a07b?ln=1777-1824|main.c lines 1777 through 1824].
</p>
</blockquote>

<a name="scgi"></a>
<h2>Fossil as SCGI</h2><blockquote>

<p>
The [/help/server|fossil server] command, described above as a way of