Fossil

Check-in [4a5e972e2c]
Login

Check-in [4a5e972e2c]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Additional webserver security: Do not allow the "fossil server" command to return any static content with an unrecognized suffix.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 4a5e972e2c7f98ce309735b040364949edb370c8
User & Date: drh 2012-12-01 04:10:37.926
Context
2012-12-01
04:37
Additional restrictions on the names of files served by "fossil server DIRECTORY": (1) only alphanumerics, "_", "-", "/", and "." characters are allowed in the pathname. (2) A "-" may not occur after a "/". (3) Every "." must be surrounded on both sides alphanumerics. This check-in also updates the changelog for the 1.25 release. ... (check-in: c71e096800 user: drh tags: trunk)
04:10
Additional webserver security: Do not allow the "fossil server" command to return any static content with an unrecognized suffix. ... (check-in: 4a5e972e2c user: drh tags: trunk)
03:55
Update the default new-ticket and edit-ticket scripts so that the Submit button is still shown after a prior submit attempt where the captcha failed. ... (check-in: 28faff0d6a user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/main.c. 
1295
1296
1297
1298
1299
1300
1301

1302
1303
1304
1305
1306
1307
1308
1309




1310
1311
1312
1313
1314
1315
1316
1317
1318
1319

          zRepo[j] = '_';
        }
      }
      if( zRepo[0]=='/' && zRepo[1]=='/' ){ zRepo++; j--; }

      szFile = file_size(zRepo);
      if( szFile<0 ){

        assert( fossil_strcmp(&zRepo[j], ".fossil")==0 );
        zRepo[j] = 0;
        if( zPathInfo[i]=='/' && file_isdir(zRepo)==1 ){
          fossil_free(zToFree);
          i++;
          continue;
        }
        if( file_isfile(zRepo) && strglob("*.fossil*",zRepo)==0 ){




          Blob content;
          blob_read_from_file(&content, zRepo);
          cgi_set_content_type(mimetype_from_name(zRepo));
          cgi_set_content(&content);
          cgi_reply();
          return;
        }
        zRepo[j] = '.';
      }









>







|
>
>
>
>


|








1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324

          zRepo[j] = '_';
        }
      }
      if( zRepo[0]=='/' && zRepo[1]=='/' ){ zRepo++; j--; }

      szFile = file_size(zRepo);
      if( szFile<0 ){
        const char *zMimetype;
        assert( fossil_strcmp(&zRepo[j], ".fossil")==0 );
        zRepo[j] = 0;
        if( zPathInfo[i]=='/' && file_isdir(zRepo)==1 ){
          fossil_free(zToFree);
          i++;
          continue;
        }
        if( file_isfile(zRepo)
         && strglob("*.fossil*",zRepo)==0
         && (zMimetype = mimetype_from_name(zRepo))!=0
         && strcmp(zMimetype, "application/x-fossil-artifact")!=0
        ){
          Blob content;
          blob_read_from_file(&content, zRepo);
          cgi_set_content_type(zMimetype);
          cgi_set_content(&content);
          cgi_reply();
          return;
        }
        zRepo[j] = '.';
      }