Timeline
Not logged in

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

50 most recent check-ins

2019-08-25
13:24
[c6a033cea6] Leaf: Added HTTP proxying info to Debian nginx server setup guide. (user: wyoung tags: trunk)
12:39
[a4bb92f791] Replaced the content of "Running Fossil in SCGI Mode" within www/server/debian/nginx.md with references to our other Fossil server docs. This also reduces the prior focus of this section on fslsrv to a single sentence, since we now prefer the systemd option, now that we have it. (user: wyoung tags: trunk)
12:29
[653e90ca62] Swapped the simple foo.net "whole site is Fossil" example in www/server/debian/nginx.md for the more complicated example.com one where only /code is served by Fossil. This is probably going to be more common, and it shows off the important detail of setting SCRIPT_NAME properly. Made a minor adjustment to any/scgi.md to track this change, so ther... (user: wyoung tags: trunk)
11:52
[5a58ac3141] Clarified use of scgi_params, SCRIPT_NAME, and service starting in the generic SCGI server setup doc. (user: wyoung tags: trunk)
2019-08-24
18:32
[6c6aae9782] Merge fork (user: andygoth tags: trunk)
2019-08-23
12:42
[23a9f9bac2] Add the fossil_random_password() utility function and use it to generate a stronger initial admin-user password in the "fossil new" command. (user: drh tags: trunk)
12:23
[0ac64dad80] If the test-markdown-render or test-wiki-render commands are invoked without a repository in which to check for Wiki page names and artifact hashes, then substitute a temporary, empty, in-memory repository so that the commands will still work and won't give SQL errors. (user: drh tags: trunk)
11:49
[ba88f4f2a7] Leaf: Clarified the placement of "moderator" and "subscriber" in the power hierarchy expression within www/capabilities.md, since each could float up and down somewhat within the fixed hierarchy we give here. Also fixed a broken URL. (user: wyoung tags: caps-doc)
11:07
[3b10e64468] Markdown hyperlinks are only converted to links to wiki if the named wikipage actually exists. Otherwise, the link becomes a relative link. This is for backwards compatibility. (user: drh tags: trunk)
08:31
[832f107ebb] Added www/capabilities.md, a complete treatment on user capabilities, user categories, login groups, and administration matters involving all of this. It does not replace the pre-existing admin-v-setup.md doc, but a bit of its content did move into this new doc. The new doc also contains the user capability info previously in the forum.wiki doc. ... (user: wyoung tags: caps-doc)
05:32
[09c65d7527] Fixed a few fatal error messages from the login-group command that referred to an "add" command, which is now called "join". The symptom I saw is that "fossil login-group add" complained that "add" is not a valid command and that you should give '"add" or "leave"' instead! (user: wyoung tags: trunk)
05:22
[739cd8720e] Fixed a few messages from the login-group command that referred to an apparent older name for the "join" sub-command, "add". This lead to a confusing symptom: "fossil login-group add foo" -> {unknown command "add" - should be "add" or "leave"}. (user: wyoung tags: trunk)
2019-08-22
15:06
[9fcd6e443c] Stronger recommendation for changing the default user's random hex password prior to setting up a Fossil server after learning it's 6 hex digits, not 8 as I thoght when I wrote that! (user: wyoung tags: trunk)
14:14
[91377ae432] Added bullet list detailing the sources for <script nonce=""> from a Fossil server and the reasons we consider each path safe. (user: wyoung tags: trunk)
13:31
[092eeebf40] Reworked the material explaining why in-page <style> is currently allowed by Fossil's default CSP to make it clearer that this is most likely a temporary situation and that local custom CSS should go in the skin instead. (user: wyoung tags: trunk)
13:13
[23fcd765f6] Expanded the discussion of in-repo and out-of-repo resource links in defcsp.md. (user: wyoung tags: trunk)
12:39
[1c4df5bf0a] Reworked the new introductory material in defcsp.md to be less about the CSP as last-resort and more about being a secondary filter to our other measures. Gave examples to clarify the tensions that prevent a purely server-side solution from being a practical solution. (user: wyoung tags: trunk)
11:54
[5182be99c9] "RaspberryPI" -> "Raspberry Pi" (user: wyoung tags: trunk)
11:53
[b5c2c9bf31] Assorted refinements to the new pre- and post-activation advice sections in www/server/index.html: nix passive voice, add a few details, add some links to related docs, etc. Also fixed a CSS indenting problem preventing correct use of in , then made use of the new freedom in these sections' numbered lists. (user: wyoung tags: trunk)
2019-08-21
19:18
[3e183bfad8] Fix the $ROOT mechanism in HTML documents so that it accepts any whitespace character before href= and script=. Add $ROOT in appropriate places in the server documentation. (user: drh tags: trunk)
18:15
[154ea087af] Outline how to configure a repository before and after server activation. (user: drh tags: trunk)
17:37
[44f1df9fef] Improvements to the althttpd documentation. (user: drh tags: trunk)
17:21
[c2c4d3039f] Further improvements to the server document. (user: drh tags: trunk)
16:57
[bc7683e15a] Extra defenses against running fossil_atexit() more than once. (user: drh tags: trunk)
16:55
[07a5a2118e] Fix the "shell" command so that it avoids invoking the atexit() handler more than once. (user: drh tags: trunk)
15:56
[b2426c2786] Server documentation updates. (user: drh tags: trunk)
14:46
[70d091eacc] Leaf: Merge in recent developments on trunk. (user: andybradford tags: test-updates)
12:32
[2da704c5a1] Disallow versioning of security sensitive settings tcl-setup, th1-setup, and th1-uri-regexp. For effective security, these settings should only be controllable by an administrator. (user: drh tags: trunk)
11:26
[33a7b8babe] Update to the default CSP page. Attempted to resolve merge conflicts, but more editting is likely necessary. (user: drh tags: trunk)
11:09
[7b843f2d43] Added a header to the new XSS material in defcsp.md so we can refer directly to it. (user: wyoung tags: trunk)
11:01
[8d43bb8786] More thorough explanation of <script nonce> in www/defcsp.md, and explained the reason why Fossil has no way of providing that nonce in most content types rather than link to the "XSS via check-in rights" forum post. This new presentation of that post's ideas is more detailed and includes discussion of the feature's interaction with the TH1 docs f... (user: wyoung tags: trunk)
09:40
[366b23a180] Major improvements to the new defcsp.md article. Expanded the introductory material to better describe what the CSP does; added named anchors to headers; moved the discussion of $default_csp overrides into this document from customskin.md, which now just says how you use that variable read-only; and added an entirely new section, "Replacing the De... (user: wyoung tags: trunk)
08:52
[14ac2cacdd] Replaced the redundant copy of the default CSP in skins/bootstrap/header.txt with "$default_csp", allowing the TH1 setup script to override the CSP as in all the other stock skins. (Bootstrap is the last stock skin to define a custom <head> element.) (user: wyoung tags: trunk)
2019-08-20
19:16
[7ae4b1a719] Fix memcpy() compiler warnings. (user: drh tags: trunk)
16:11
[f7c41be825] Fix possible misaligned pointer to a 16-bit object. (user: drh tags: trunk)
15:04
[f146e21af9] Updated and expanded documentation on how to set up a Fossil server. (user: drh tags: trunk)
14:55
[231d693314] Add the --with-sanitizer option to the ./configure script. (user: drh tags: trunk)
07:01
[c57e17931d] Closed-Leaf: Fixed a link punctuation bug introduced in [74a6578c]. (user: wyoung tags: server-docs)
06:45
[8976a9dae3] The merge from trunk accidentally reverted part of the new text in www/embeddeddoc.wiki. (This part was manually merged, and I missed a diff relative to trunk.) (user: wyoung tags: server-docs)
06:35
[d5def0c8c4] Missed a link to server.wiki that should have been checked in with [74a6578c]. (user: wyoung tags: server-docs)
06:34
[42d28c0286] Merged in trunk improvements (user: wyoung tags: server-docs)
06:28
[3cdf764c2c] Reverted src/doc.c to the trunk version. The "Plan Z" reversion in [8264fd75] was incomplete, causing bad TH1 variable expansion. I believe this explains the symptom I worked around in [9bdf650f0b8]. This check-in also cherry-picks [3d6a4fd95c] onto the branch. (user: wyoung tags: server-docs)
06:03
[74a6578cd4] Updated all of the internal hyperlinks referencing www/server.wiki to point at either www/server/index.html or one of the docs it now points at. (user: wyoung tags: server-docs)
04:57
[9bdf650f0b] Fixed an unwanted "$nonce" variable expansion within the new customskin.md introduced by [9044fd2dbe] which only occurs *sometimes*: not on fossil-scm.org, and apparently not in my earlier ckout testing prior to checking it in, but now in a different ckout test. This has to be a TH1 thing, but I don't understand why we didn't see this earlier. Thi... (user: wyoung tags: trunk)
04:34
[f4cbfd5acc] Fixed a link from the new material in embeddeddoc.wiki to the new CSP material: that briefly lived in customskin.md before checking it in, but then I moved it to a new document and forgot to update the link. (user: wyoung tags: trunk)
04:24
[66fdab7605] Closed-Leaf: Fixed a couple of Tcl syntax fixes that caused the new --with-sanitizer code to a) run unconditionally irrespective of the option's setting and b) to check for the existence of libubsan whether it was actually needed or not. (user: wyoung tags: configure-updates)
04:07
[4e6d36d7d4] Added www/defcsp.md, which documents the default Content Security Policy applied by Fossil to the HTML pages it serves. Linked that into embeddeddoc.wik and customskin.md, which touched on this topic before but didn't go into much detail. (user: wyoung tags: trunk)
02:09
[3243a6c148] Fix a compiler warning in the security-audit page. (user: drh tags: trunk)
01:34
[7907b6ffae] Added --with-sanitizer configure-time option for appending -fsanitize=VALUE to CFLAGS and LDFLAGS, plus automatic detection of -lubsan for GCC, which doesn't automatically link to that with -fsanitize=undefined as Clang does. EDIT: This check-in breaks the built on Ubuntu 18.04. (user: wyoung tags: configure-updates)
00:41
[8b7c17de3f] Removed "known to work with IIS" bit from www/server/index.html in the CGI section, since that is not actually true. We can put it back once someone figures out the IIS + CGI + Fossil CPU pegging problem. (user: wyoung tags: server-docs)