Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Don't send Basic Authorization except after prompting user. This is done by detecting 401 Authorization Required. It also allows the HTTP Authorization credentials to be different from the Fossil user which means the integrity of the Fossil password can be maintained if so desired. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | http-auth |
| Files: | files | file ages | folders |
| SHA1: |
c61554976dde870c8b5dcbbdead5977a |
| User & Date: | andybradford 2014-02-03 07:03:32.260 |
Context
|
2014-02-03
| ||
| 07:07 | Correct altered comment. Sneaky vi and J joining lines without my knowledge! ... (check-in: e38bfdae85 user: andybradford tags: http-auth) | |
| 07:03 | Don't send Basic Authorization except after prompting user. This is done by detecting 401 Authorization Required. It also allows the HTTP Authorization credentials to be different from the Fossil user which means the integrity of the Fossil password can be maintained if so desired. ... (check-in: c61554976d user: andybradford tags: http-auth) | |
|
2014-02-02
| ||
| 01:49 | Remove the HTTP Authorization setting if the URL is changed with remote-url. ... (check-in: 456a1edd70 user: andybradford tags: http-auth) | |
Changes
Changes to src/clone.c.
| ︙ | ︙ | |||
107 108 109 110 111 112 113 | ** ** Options: ** --admin-user|-A USERNAME Make USERNAME the administrator ** --once Don't save url. ** --private Also clone private branches ** --ssl-identity=filename Use the SSL identity if requested by the server ** --ssh-command|-c 'command' Use this SSH command | | > | | 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
**
** Options:
** --admin-user|-A USERNAME Make USERNAME the administrator
** --once Don't save url.
** --private Also clone private branches
** --ssl-identity=filename Use the SSL identity if requested by the server
** --ssh-command|-c 'command' Use this SSH command
** --httpauth|-B 'user:pass' Add HTTP Basic Authorization to requests
**
** See also: init
*/
void clone_cmd(void){
char *zPassword;
const char *zDefaultUser; /* Optional name of the default user */
const char *zHttpAuth; /* HTTP Authorization user:pass information */
int nErr = 0;
int bPrivate = 0; /* Also clone private branches */
int urlFlags = URL_PROMPT_PW | URL_REMEMBER;
if( find_option("private",0,0)!=0 ) bPrivate = SYNC_PRIVATE;
if( find_option("once",0,0)!=0) urlFlags &= ~URL_REMEMBER;
zHttpAuth = find_option("httpauth","B",1);
zDefaultUser = find_option("admin-user","A",1);
clone_ssh_find_options();
url_proxy_options();
if( g.argc < 4 ){
usage("?OPTIONS? FILE-OR-URL NEW-REPOSITORY");
}
db_open_config(0);
|
| ︙ | ︙ | |||
159 160 161 162 163 164 165 |
db_begin_transaction();
db_record_repository_filename(g.argv[3]);
db_initial_setup(0, 0, zDefaultUser, 0);
user_select();
db_set("content-schema", CONTENT_SCHEMA, 0);
db_set("aux-schema", AUX_SCHEMA, 0);
db_set("rebuilt", get_version(), 0);
| | | 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
db_begin_transaction();
db_record_repository_filename(g.argv[3]);
db_initial_setup(0, 0, zDefaultUser, 0);
user_select();
db_set("content-schema", CONTENT_SCHEMA, 0);
db_set("aux-schema", AUX_SCHEMA, 0);
db_set("rebuilt", get_version(), 0);
remember_or_get_http_auth(zHttpAuth, urlFlags & URL_REMEMBER, g.argv[2]);
url_remember();
if( g.zSSLIdentity!=0 ){
/* If the --ssl-identity option was specified, store it as a setting */
Blob fn;
blob_zero(&fn);
file_canonical_name(g.zSSLIdentity, &fn, 0);
db_set("ssl-identity", blob_str(&fn), 0);
|
| ︙ | ︙ | |||
203 204 205 206 207 208 209 | /* ** If user chooses to use HTTP Authentication over unencrypted HTTP, ** remember decision. Otherwise, if the URL is being changed and no preference ** has been indicated, err on the safe side and revert the decision. ** Set the global preference if the URL is not being changed. */ | | > > > | | | | | | | 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 |
/*
** If user chooses to use HTTP Authentication over unencrypted HTTP,
** remember decision. Otherwise, if the URL is being changed and no preference
** has been indicated, err on the safe side and revert the decision.
** Set the global preference if the URL is not being changed.
*/
void remember_or_get_http_auth(const char *zHttpAuth, int fRemember, const char *zUrl){
if( zHttpAuth && zHttpAuth[0] ){
g.zHttpAuth = mprintf("%s", zHttpAuth);
}
if( fRemember ){
if( g.zHttpAuth && g.zHttpAuth[0] ){
db_set("http-auth", obscure(g.zHttpAuth), 0);
}else if( zUrl && zUrl[0] ){
db_unset("http-auth", 0);
}else{
g.zHttpAuth = unobscure(db_get("http-auth",0));
}
}else if( g.zHttpAuth==0 && zUrl==0 ){
g.zHttpAuth = unobscure(db_get("http-auth",0));
}
}
/*
** Look for SSH clone command line options and setup in globals.
*/
void clone_ssh_find_options(void){
|
| ︙ | ︙ |
Changes to src/http.c.
|
| < | | 1 2 3 4 5 6 7 8 | /* ** Copyright (c) 2007 D. Richard Hipp ** ** This program is free software; you can redistribute it and/or ** modify it under the terms of the Simplified BSD License (also ** known as the "2-Clause License" or "FreeBSD License".) ** This program is distributed in the hope that it will be useful, ** but without any warranty; without even the implied warranty of |
| ︙ | ︙ | |||
17 18 19 20 21 22 23 24 25 26 27 28 29 30 | ** ** This file contains code that implements the client-side HTTP protocol */ #include "config.h" #include "http.h" #include <assert.h> /* ** Construct the "login" card with the client credentials. ** ** login LOGIN NONCE SIGNATURE ** ** The LOGIN is the user id of the client. NONCE is the sha1 checksum ** of all payload that follows the login card. SIGNATURE is the sha1 | > > > > > > > > > > > > > | 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | ** ** This file contains code that implements the client-side HTTP protocol */ #include "config.h" #include "http.h" #include <assert.h> #ifdef _WIN32 #include <io.h> #ifndef isatty #define isatty(d) _isatty(d) #endif #ifndef fileno #define fileno(s) _fileno(s) #endif #endif /* Keep track of HTTP Basic Authorization failures */ static int fSeenHttpAuth = 0; /* ** Construct the "login" card with the client credentials. ** ** login LOGIN NONCE SIGNATURE ** ** The LOGIN is the user id of the client. NONCE is the sha1 checksum ** of all payload that follows the login card. SIGNATURE is the sha1 |
| ︙ | ︙ | |||
94 95 96 97 98 99 100 |
}else{
zSep = "/";
}
blob_appendf(pHdr, "POST %s%sxfer/xfer HTTP/1.0\r\n", g.urlPath, zSep);
if( g.urlProxyAuth ){
blob_appendf(pHdr, "Proxy-Authorization: %s\r\n", g.urlProxyAuth);
}
| | | < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 |
}else{
zSep = "/";
}
blob_appendf(pHdr, "POST %s%sxfer/xfer HTTP/1.0\r\n", g.urlPath, zSep);
if( g.urlProxyAuth ){
blob_appendf(pHdr, "Proxy-Authorization: %s\r\n", g.urlProxyAuth);
}
if( g.zHttpAuth && g.zHttpAuth[0] ){
const char *zCredentials = g.zHttpAuth;
char *zEncoded = encode64(zCredentials, -1);
blob_appendf(pHdr, "Authorization: Basic %s\r\n", zEncoded);
fossil_free(zEncoded);
}
blob_appendf(pHdr, "Host: %s\r\n", g.urlHostname);
blob_appendf(pHdr, "User-Agent: %s\r\n", get_user_agent());
if( g.urlIsSsh ) blob_appendf(pHdr, "X-Fossil-Transport: SSH\r\n");
if( g.fHttpTrace ){
blob_appendf(pHdr, "Content-Type: application/x-fossil-debug\r\n");
}else{
blob_appendf(pHdr, "Content-Type: application/x-fossil\r\n");
}
blob_appendf(pHdr, "Content-Length: %d\r\n\r\n", blob_size(pPayload));
}
/*
** Use Fossil credentials for HTTP Basic Authorization prompt
*/
static int use_fossil_creds_for_httpauth_prompt(void){
Blob x;
char c;
char *zPrompt = mprintf(
"\nBasic Authorization over %s required to continue.\n"
"Use Fossil username and password (y/N)? ",
g.urlIsHttps==1 ? "encrypted HTTPS" : "unencrypted HTTP");
prompt_user(zPrompt, &x);
c = blob_str(&x)[0];
blob_reset(&x);
free(zPrompt);
return ( c=='y' || c=='Y' );
}
/*
** Prompt to save HTTP Basic Authorization information
*/
static int save_httpauth_prompt(void){
Blob x;
char c;
if( (g.urlFlags & URL_REMEMBER)==0 ) return;
prompt_user("Remember Basic Authorization credentials (Y/n)? ", &x);
c = blob_str(&x)[0];
blob_reset(&x);
return ( c!='n' && c!='N' );
}
/*
** Get the HTTP Basic Authorization credentials from the user
** when 401 is received.
*/
char *prompt_for_httpauth_creds(void){
Blob x;
char *zUser;
char *zPw;
char *zHttpAuth = 0;
if( !isatty(fileno(stdin)) ) return 0;
if ( use_fossil_creds_for_httpauth_prompt() ){
if( g.urlUser && g.urlPasswd ){
zHttpAuth = mprintf("%s:%s", g.urlUser, g.urlPasswd);
}
}else{
prompt_user("Basic Authorization user: ", &x);
zUser = mprintf("%b", &x);
zPw = prompt_for_user_password(zUser);
zHttpAuth = mprintf("%s:%s", zUser, zPw);
blob_reset(&x);
free(zUser);
free(zPw);
}
if( save_httpauth_prompt() ){
db_set("http-auth", obscure(zHttpAuth), 0);
}
return zHttpAuth;
}
/*
** Sign the content in pSend, compress it, and send it to the server
** via HTTP or HTTPS. Get a reply, uncompress the reply, and store the reply
** in pRecv. pRecv is assumed to be uninitialized when
** this routine is called - this routine will initialize it.
**
|
| ︙ | ︙ | |||
198 199 200 201 202 203 204 |
closeConnection = 1;
iLength = -1;
while( (zLine = transport_receive_line(GLOBAL_URL()))!=0 && zLine[0]!=0 ){
/* printf("[%s]\n", zLine); fflush(stdout); */
if( fossil_strnicmp(zLine, "http/1.", 7)==0 ){
if( sscanf(zLine, "HTTP/1.%d %d", &iHttpVersion, &rc)!=2 ) goto write_err;
if( rc==401 ){
| < < < | | | | > > > > > > > > > > > | | > | > > > | 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 |
closeConnection = 1;
iLength = -1;
while( (zLine = transport_receive_line(GLOBAL_URL()))!=0 && zLine[0]!=0 ){
/* printf("[%s]\n", zLine); fflush(stdout); */
if( fossil_strnicmp(zLine, "http/1.", 7)==0 ){
if( sscanf(zLine, "HTTP/1.%d %d", &iHttpVersion, &rc)!=2 ) goto write_err;
if( rc==401 ){
transport_close(GLOBAL_URL());
if( --maxRedirect == 0 ){
fossil_fatal("http authorization limit exceeded");
}
if( g.zHttpAuth==0 ){
g.zHttpAuth = prompt_for_httpauth_creds();
}
if( g.zHttpAuth && g.zHttpAuth[0] ){
if( fSeenHttpAuth ){
free(g.zHttpAuth);
g.zHttpAuth = 0;
fSeenHttpAuth = 0;
}else{
fSeenHttpAuth = 1;
}
return http_exchange(pSend, pReply, useLogin, maxRedirect);
}else{
fossil_warning("HTTP Basic Authorization failed.");
if( g.zHttpAuth ){
free(g.zHttpAuth);
g.zHttpAuth = 0;
}
transport_close(GLOBAL_URL());
return http_exchange(pSend, pReply, useLogin, maxRedirect);
}
}
if( rc!=200 && rc!=302 ){
int ii;
for(ii=7; zLine[ii] && zLine[ii]!=' '; ii++){}
while( zLine[ii]==' ' ) ii++;
fossil_warning("server says: %s", &zLine[ii]);
|
| ︙ | ︙ |
Changes to src/main.c.
| ︙ | ︙ | |||
137 138 139 140 141 142 143 | char *zLocalRoot; /* The directory holding the local database */ int minPrefix; /* Number of digits needed for a distinct UUID */ int fSqlTrace; /* True if --sqltrace flag is present */ int fSqlStats; /* True if --sqltrace or --sqlstats are present */ int fSqlPrint; /* True if -sqlprint flag is present */ int fQuiet; /* True if -quiet flag is present */ int fHttpTrace; /* Trace outbound HTTP requests */ | | | 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 | char *zLocalRoot; /* The directory holding the local database */ int minPrefix; /* Number of digits needed for a distinct UUID */ int fSqlTrace; /* True if --sqltrace flag is present */ int fSqlStats; /* True if --sqltrace or --sqlstats are present */ int fSqlPrint; /* True if -sqlprint flag is present */ int fQuiet; /* True if -quiet flag is present */ int fHttpTrace; /* Trace outbound HTTP requests */ char *zHttpAuth; /* HTTP Authorization user:pass information */ int fSystemTrace; /* Trace calls to fossil_system(), --systemtrace */ int fSshTrace; /* Trace the SSH setup traffic */ int fSshClient; /* HTTP client flags for SSH client */ char *zSshCmd; /* SSH command string */ int fNoSync; /* Do not do an autosync ever. --nosync */ char *zPath; /* Name of webpage being served */ char *zExtra; /* Extra path information past the webpage name */ |
| ︙ | ︙ | |||
647 648 649 650 651 652 653 654 655 656 657 658 659 660 |
g.fSystemTrace = find_option("systemtrace", 0, 0)!=0;
g.fSshTrace = find_option("sshtrace", 0, 0)!=0;
g.fSshClient = 0;
g.zSshCmd = 0;
if( g.fSqlTrace ) g.fSqlStats = 1;
g.fSqlPrint = find_option("sqlprint", 0, 0)!=0;
g.fHttpTrace = find_option("httptrace", 0, 0)!=0;
g.zLogin = find_option("user", "U", 1);
g.zSSLIdentity = find_option("ssl-identity", 0, 1);
g.zErrlog = find_option("errorlog", 0, 1);
if( find_option("utc",0,0) ) g.fTimeFormat = 1;
if( find_option("localtime",0,0) ) g.fTimeFormat = 2;
if( zChdir && file_chdir(zChdir, 0) ){
fossil_fatal("unable to change directories to %s", zChdir);
| > | 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 |
g.fSystemTrace = find_option("systemtrace", 0, 0)!=0;
g.fSshTrace = find_option("sshtrace", 0, 0)!=0;
g.fSshClient = 0;
g.zSshCmd = 0;
if( g.fSqlTrace ) g.fSqlStats = 1;
g.fSqlPrint = find_option("sqlprint", 0, 0)!=0;
g.fHttpTrace = find_option("httptrace", 0, 0)!=0;
g.zHttpAuth = 0;
g.zLogin = find_option("user", "U", 1);
g.zSSLIdentity = find_option("ssl-identity", 0, 1);
g.zErrlog = find_option("errorlog", 0, 1);
if( find_option("utc",0,0) ) g.fTimeFormat = 1;
if( find_option("localtime",0,0) ) g.fTimeFormat = 2;
if( zChdir && file_chdir(zChdir, 0) ){
fossil_fatal("unable to change directories to %s", zChdir);
|
| ︙ | ︙ |
Changes to src/sync.c.
| ︙ | ︙ | |||
81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
** This routine processes the command-line argument for push, pull,
** and sync. If a command-line argument is given, that is the URL
** of a server to sync against. If no argument is given, use the
** most recently synced URL. Remember the current URL for next time.
*/
static void process_sync_args(unsigned *pConfigFlags, unsigned *pSyncFlags){
const char *zUrl = 0;
unsigned configSync = 0;
unsigned urlFlags = URL_REMEMBER | URL_PROMPT_PW;
int urlOptional = 0;
if( find_option("autourl",0,0)!=0 ){
urlOptional = 1;
urlFlags = 0;
}
| > | | 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
** This routine processes the command-line argument for push, pull,
** and sync. If a command-line argument is given, that is the URL
** of a server to sync against. If no argument is given, use the
** most recently synced URL. Remember the current URL for next time.
*/
static void process_sync_args(unsigned *pConfigFlags, unsigned *pSyncFlags){
const char *zUrl = 0;
const char *zHttpAuth = 0;
unsigned configSync = 0;
unsigned urlFlags = URL_REMEMBER | URL_PROMPT_PW;
int urlOptional = 0;
if( find_option("autourl",0,0)!=0 ){
urlOptional = 1;
urlFlags = 0;
}
zHttpAuth = find_option("httpauth","B",1);
if( find_option("once",0,0)!=0 ) urlFlags &= ~URL_REMEMBER;
if( find_option("private",0,0)!=0 ){
*pSyncFlags |= SYNC_PRIVATE;
}
if( find_option("verbose","v",0)!=0 ){
*pSyncFlags |= SYNC_VERBOSE;
}
|
| ︙ | ︙ | |||
115 116 117 118 119 120 121 |
}else if( g.argc==3 ){
zUrl = g.argv[2];
}
if( urlFlags & URL_REMEMBER ){
clone_ssh_db_set_options();
}
url_parse(zUrl, urlFlags);
| | | 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
}else if( g.argc==3 ){
zUrl = g.argv[2];
}
if( urlFlags & URL_REMEMBER ){
clone_ssh_db_set_options();
}
url_parse(zUrl, urlFlags);
remember_or_get_http_auth(zHttpAuth, urlFlags & URL_REMEMBER, zUrl);
url_remember();
if( g.urlProtocol==0 ){
if( urlOptional ) fossil_exit(0);
usage("URL");
}
user_select();
if( g.argc==2 ){
|
| ︙ | ︙ |