Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add the capability for Fossil to directly interpret the Authentication: HTTP header for Basic Authentication, if enabled on the /setup_access page. Disabled by default. |
|---|---|
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
315cf243685004578a3924f93631222f |
| User & Date: | drh 2017-03-13 23:47:46.951 |
References
|
2017-03-14
| ||
| 01:55 | Merge in small fixes to the test suite and plan to continue improving the suite in the trunk. Also kludge login.c on MinGW which has no strtok_r() available in its libc by supplying a public domain one. There certainly is a better way to deal with this, but this unbreaks the build on Windows broken by [315cf2436]. check-in: 93d52a010f user: rberteig tags: trunk | |
Context
|
2017-03-14
| ||
| 01:55 | Merge in small fixes to the test suite and plan to continue improving the suite in the trunk. Also kludge login.c on MinGW which has no strtok_r() available in its libc by supplying a public domain one. There certainly is a better way to deal with this, but this unbreaks the build on Windows broken by [315cf2436]. check-in: 93d52a010f user: rberteig tags: trunk | |
|
2017-03-13
| ||
| 23:47 | Add the capability for Fossil to directly interpret the Authentication: HTTP header for Basic Authentication, if enabled on the /setup_access page. Disabled by default. check-in: 315cf24368 user: drh tags: trunk | |
| 23:28 | Correct filename title in comment for man_page_command_list.tcl check-in: 260e3c750d user: andygoth tags: trunk | |
| 01:12 | Add the capability for Fossil to directly interpret the Authentication: HTTP header for Basic Authentication, if enabled on the /setup_access page. Disabled by default. Closed-Leaf check-in: 4fa4c0218f user: drh tags: basic-authentication-2 | |
Changes
Changes to src/cgi.c.
| ︙ | ︙ | |||
1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 |
cgi_setenv("HTTP_IF_NONE_MATCH", zVal);
}else if( fossil_strcmp(zFieldName,"if-modified-since:")==0 ){
cgi_setenv("HTTP_IF_MODIFIED_SINCE", zVal);
}else if( fossil_strcmp(zFieldName,"referer:")==0 ){
cgi_setenv("HTTP_REFERER", zVal);
}else if( fossil_strcmp(zFieldName,"user-agent:")==0 ){
cgi_setenv("HTTP_USER_AGENT", zVal);
}else if( fossil_strcmp(zFieldName,"x-forwarded-for:")==0 ){
const char *zIpAddr = cgi_accept_forwarded_for(zVal);
if( zIpAddr!=0 ){
g.zIpAddr = mprintf("%s", zIpAddr);
cgi_replace_parameter("REMOTE_ADDR", g.zIpAddr);
}
}
| > > | 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 |
cgi_setenv("HTTP_IF_NONE_MATCH", zVal);
}else if( fossil_strcmp(zFieldName,"if-modified-since:")==0 ){
cgi_setenv("HTTP_IF_MODIFIED_SINCE", zVal);
}else if( fossil_strcmp(zFieldName,"referer:")==0 ){
cgi_setenv("HTTP_REFERER", zVal);
}else if( fossil_strcmp(zFieldName,"user-agent:")==0 ){
cgi_setenv("HTTP_USER_AGENT", zVal);
}else if( fossil_strcmp(zFieldName,"authorization:")==0 ){
cgi_setenv("HTTP_AUTHORIZATION", zVal);
}else if( fossil_strcmp(zFieldName,"x-forwarded-for:")==0 ){
const char *zIpAddr = cgi_accept_forwarded_for(zVal);
if( zIpAddr!=0 ){
g.zIpAddr = mprintf("%s", zIpAddr);
cgi_replace_parameter("REMOTE_ADDR", g.zIpAddr);
}
}
|
| ︙ | ︙ |
Changes to src/login.c.
| ︙ | ︙ | |||
964 965 966 967 968 969 970 971 972 973 974 975 976 977 |
if( uid==0 ){
const char *zRemoteUser = P("REMOTE_USER");
if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){
uid = db_int(0, "SELECT uid FROM user WHERE login=%Q"
" AND length(cap)>0 AND length(pw)>0", zRemoteUser);
}
}
/* If no user found yet, try to log in as "nobody" */
if( uid==0 ){
uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'");
if( uid==0 ){
/* If there is no user "nobody", then make one up - with no privileges */
uid = -1;
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 |
if( uid==0 ){
const char *zRemoteUser = P("REMOTE_USER");
if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){
uid = db_int(0, "SELECT uid FROM user WHERE login=%Q"
" AND length(cap)>0 AND length(pw)>0", zRemoteUser);
}
}
/* If the request didn't provide a login cookie or the login cookie didn't
** match a known valid user, check the HTTP "Authorization" header and
** see if those credentials are valid for a known user.
*/
if( uid==0 ){
const char *zHTTPAuth = PD("HTTP_AUTHORIZATION", 0);
/* Check to see if the HTTP "Authorization" header is present
*/
if( zHTTPAuth!=0 && zHTTPAuth[0]!=0
&& db_get_boolean("http_authentication_ok",0)
){
char *zBuf = fossil_strdup(zHTTPAuth);
if( zBuf!=0 ){
char *zPos;
char *zTok = strtok_r(zBuf, " ", &zPos);
if( zTok != 0 ){
/* Check to see if the authorization scheme is HTTP
** basic auth.
*/
if (strncmp(zTok, "Basic", zTok - zBuf) == 0) {
zTok = strtok_r(NULL, " ", &zPos);
int zBytesDecoded = 0;
char *zDecodedAuth = decode64(zTok, &zBytesDecoded);
char *zUsername = strtok_r(zDecodedAuth, ":", &zPos);
char *zPasswd = strtok_r(NULL, ":", &zPos);
if( zUsername!=0 && zPasswd!=0 && zPasswd[0]!=0 ){
/* Attempting to log in as the user provided by HTTP
** basic auth
*/
uid = login_search_uid(zUsername, zPasswd);
if( uid>0 ){
record_login_attempt(zUsername, zIpAddr, 1);
}else{
record_login_attempt(zUsername, zIpAddr, 0);
/* The user attempted to login specifically with HTTP basic
** auth, but provided invalid credentials. Inform them of
** the failed login attempt via 401.
*/
cgi_set_status(401, "Unauthorized");
cgi_reply();
fossil_exit(0);
}
}
fossil_free(zDecodedAuth);
}
}
fossil_free(zBuf);
}
}
}
/* If no user found yet, try to log in as "nobody" */
if( uid==0 ){
uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'");
if( uid==0 ){
/* If there is no user "nobody", then make one up - with no privileges */
uid = -1;
|
| ︙ | ︙ |
Changes to src/setup.c.
| ︙ | ︙ | |||
1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 |
@ <hr />
onoff_attribute("Allow REMOTE_USER authentication",
"remote_user_ok", "remote_user_ok", 0, 0);
@ <p>When enabled, if the REMOTE_USER environment variable is set to the
@ login name of a valid user and no other login credentials are available,
@ then the REMOTE_USER is accepted as an authenticated user.
@ </p>
@
@ <hr />
entry_attribute("IP address terms used in login cookie", 3,
"ip-prefix-terms", "ipt", "2", 0);
@ <p>The number of octets of of the IP address used in the login cookie.
@ Set to zero to omit the IP address from the login cookie. A value of
@ 2 is recommended.
| > > > > > > > > | 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 |
@ <hr />
onoff_attribute("Allow REMOTE_USER authentication",
"remote_user_ok", "remote_user_ok", 0, 0);
@ <p>When enabled, if the REMOTE_USER environment variable is set to the
@ login name of a valid user and no other login credentials are available,
@ then the REMOTE_USER is accepted as an authenticated user.
@ </p>
@
@ <hr />
onoff_attribute("Allow HTTP_AUTHENTICATION authentication",
"http_authentication_ok", "http_authentication_ok", 0, 0);
@ <p>When enabled, allow the use of the HTTP_AUTHENTICATION environment
@ variable or the "Authentication:" HTTP header to find the username and
@ password. This is another way of supporting Basic Authenitication.
@ </p>
@
@ <hr />
entry_attribute("IP address terms used in login cookie", 3,
"ip-prefix-terms", "ipt", "2", 0);
@ <p>The number of octets of of the IP address used in the login cookie.
@ Set to zero to omit the IP address from the login cookie. A value of
@ 2 is recommended.
|
| ︙ | ︙ |