Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Merge the latest changes from the ben-security branch into trunk. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk | test-%-&-tag |
| Files: | files | file ages | folders |
| SHA1: |
6d35cde78d475f86f75746e65b6e37ca |
| User & Date: | drh 2011-05-28 17:56:04.712 |
Context
|
2011-05-28
| ||
| 18:51 | Release ... (check-in: 0448438c56 user: drh tags: trunk, release) | |
| 17:56 | Merge the latest changes from the ben-security branch into trunk. ... (check-in: 6d35cde78d user: drh tags: trunk, test-%-&-tag) | |
| 17:52 | Do not attempt to use fossil_fopen() in place of fopen() in the SQLite shell as doing so causes problems on (some) Macs and does not really help the windows i18n situation. Ticket [034fa7bb2907e96] ... (check-in: e94c1e9068 user: drh tags: trunk) | |
| 16:23 | Add the X-Frame-Options: DENY header to HTTP responses, and a comment lamenting that two other helpful security headers can't really be used without breaking things. ... (check-in: 95f04bbfbf user: ben tags: ben-security) | |
Changes
Changes to src/cgi.c.
| ︙ | ︙ | |||
291 292 293 294 295 296 297 298 299 300 301 302 303 304 |
}else{
fprintf(g.httpOut, "Status: %d %s\r\n", iReplyStatus, zReplyStatus);
}
if( blob_size(&extraHeader)>0 ){
fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
}
if( g.isConst ){
/* constant means that the input URL will _never_ generate anything
** else. In the case of attachments, the contents won't change because
** an attempt to change them generates a new attachment number. In the
** case of most /getfile calls for specific versions, the only way the
** content changes is if someone breaks the SCM. And if that happens, a
| > > > > > > > > > > > > > > > > > > | 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 |
}else{
fprintf(g.httpOut, "Status: %d %s\r\n", iReplyStatus, zReplyStatus);
}
if( blob_size(&extraHeader)>0 ){
fprintf(g.httpOut, "%s", blob_buffer(&extraHeader));
}
/* Add headers to turn on useful security options in browsers. */
fprintf(g.httpOut, "X-Frame-Options: DENY\r\n");
/* This stops fossil pages appearing in frames or iframes, preventing
** click-jacking attacks on supporting browsers.
**
** Other good headers would be
** Strict-Transport-Security: max-age=62208000
** if we're using https. However, this would break sites which serve different
** content on http and https protocols. Also,
** X-Content-Security-Policy: allow 'self'
** would help mitigate some XSS and data injection attacks, but will break
** deliberate inclusion of external resources, such as JavaScript syntax
** highlighter scripts.
**
** These headers are probably best added by the web server hosting fossil as
** a CGI script.
*/
if( g.isConst ){
/* constant means that the input URL will _never_ generate anything
** else. In the case of attachments, the contents won't change because
** an attempt to change them generates a new attachment number. In the
** case of most /getfile calls for specific versions, the only way the
** content changes is if someone breaks the SCM. And if that happens, a
|
| ︙ | ︙ |