Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add the /phantoms webpage that lists public phantom artifacts. Check the number of public phantom artifacts and puts a warning if the number is non-zero on the Security Audit page. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
83db244395090d8365b64c12e7b3a4d8 |
| User & Date: | drh 2020-04-14 13:32:56.723 |
Context
|
2020-04-14
| ||
| 14:27 | Show the table of public phantoms directly on the security audit page. Dig deeper looking for the source of public phantoms. check-in: 941280ae0a user: drh tags: trunk | |
| 13:32 | Add the /phantoms webpage that lists public phantom artifacts. Check the number of public phantom artifacts and puts a warning if the number is non-zero on the Security Audit page. check-in: 83db244395 user: drh tags: trunk | |
| 11:36 | Strengthen defenses against CSRF attacks. check-in: 4c444c1c88 user: drh tags: trunk | |
Changes
Changes to src/name.c.
| ︙ | ︙ | |||
1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 |
}else{
@ <td>private,phantom</td>
}
}else{
@ <td>
}
@ </tr>
}
@ </table>
db_finalize(&q);
style_footer();
}
/*
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 |
}else{
@ <td>private,phantom</td>
}
}else{
@ <td>
}
@ </tr>
}
@ </table>
db_finalize(&q);
style_footer();
}
/*
** WEBPAGE: phantoms
**
** Show a list of all "phantom" artifacts that are not marked as "private".
**
** A "phantom" artifact is an artifact whose hash named appears in some
** artifact but whose content is unknown. For example, if a manifest
** references a particular SHA3 hash of a file, but that SHA3 hash is
** not on the shunning list and is not in the database, then the file
** is a phantom. We know it exists, but we do not know its content.
**
** Whenever a sync occurs, both each party looks at its phantom list
** and for every phantom that is not also marked private, it asks the
** other party to send it the content. This mechanism helps keep all
** repositories synced up.
**
** This page is similar to the /bloblist page in that it lists artifacts.
** But this page is a special case in that it only shows phantoms that
** are not private. In other words, this page shows all phantoms that
** generate extra network traffic on every sync request.
*/
void phantom_list_page(void){
Stmt q;
char *zRange;
login_check_credentials();
if( !g.perm.Read ){ login_needed(g.anon.Read); return; }
style_header("Public Phantom Artifacts");
if( g.perm.Admin ){
style_submenu_element("Artifact Log", "rcvfromlist");
style_submenu_element("Artifact List", "bloblist");
}
if( g.perm.Write ){
style_submenu_element("Artifact Stats", "artifact_stats");
}
zRange = mprintf("IN (SELECT rid FROM phantom EXCEPT"
" SELECT rid FROM private)");
describe_artifacts(zRange);
fossil_free(zRange);
db_prepare(&q,
"SELECT rid, uuid, summary, ref"
" FROM description ORDER BY rid"
);
@ <table cellpadding="2" cellspacing="0" border="1">
@ <tr><th>RID<th>Description<th>Source
while( db_step(&q)==SQLITE_ROW ){
int rid = db_column_int(&q,0);
const char *zUuid = db_column_text(&q, 1);
const char *zDesc = db_column_text(&q, 2);
const char *zRef = db_column_text(&q,3);
@ <tr><td valign="top">%d(rid)</td>
@ <td valign="top" align="left">%h(zUuid)<br>%h(zDesc)</td>
if( zRef && zRef[0] ){
@ <td valign="top">%z(href("%R/info/%!S",zRef))%!S(zRef)</a>
}else{
@ <td>
}
@ </tr>
}
@ </table>
db_finalize(&q);
style_footer();
}
/*
|
| ︙ | ︙ |
Changes to src/security_audit.c.
| ︙ | ︙ | |||
551 552 553 554 555 556 557 558 559 560 561 562 563 564 |
@ <li><p> Email alert configuration summary:
@ <table class="label-value">
stats_for_email();
@ </table>
}else{
@ <li><p> Email alerts are disabled
}
@ </ol>
style_footer();
}
/*
** WEBPAGE: takeitprivate
| > > > > > > > > > > > > > > > > > > | 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 |
@ <li><p> Email alert configuration summary:
@ <table class="label-value">
stats_for_email();
@ </table>
}else{
@ <li><p> Email alerts are disabled
}
n = db_int(0,"SELECT count(*) FROM ("
"SELECT rid FROM phantom EXCEPT SELECT rid FROM private)");
if( n>0 ){
@ <li><p>\
if( n==1 ){
@ There is 1 public phantom artifact
}else{
@ There are %d(n) public phantom artifacts
}
@ (<a href="%R/phantoms">details</a>).
@ Phantom artifacts are artifacts whose hash name is referenced by some
@ other artifact but whose content is unknown. Some phantoms are marked
@ private and those are ignored. But public phantoms cause unnecessary
@ sync traffic and might represent malicious attempts to corrupt the
@ repository structure.
@ </p></li>
}
@ </ol>
style_footer();
}
/*
** WEBPAGE: takeitprivate
|
| ︙ | ︙ |