Fossil

History for src/security_audit.c
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

History for src/security_audit.c

2020-05-28
14:58
[dc3c7cfa] part of check-in [dba4c4f2] Initial infrastructure for a command-line version of the security audit page. (check-in: [dba4c4f2] user: drh branch: audit-command, size: 28279)
12:05
[6817ea33] part of check-in [a80861de] Add a notification that online file editing is enabled to the security audit. (check-in: [a80861de] user: drh branch: trunk, size: 25392)
2020-04-24
00:49
[428dbb93] part of check-in [3b7970e0] Add the ability to deny capabilities to self-registered accounts until the email verification comes through. (check-in: [3b7970e0] user: drh branch: restricted-self-registration, size: 25151)
2020-04-14
14:27
[41f2eadf] part of check-in [941280ae] Show the table of public phantoms directly on the security audit page. Dig deeper looking for the source of public phantoms. (check-in: [941280ae] user: drh branch: trunk, size: 25149)
13:32
[8f0a876b] part of check-in [83db2443] Add the /phantoms webpage that lists public phantom artifacts. Check the number of public phantom artifacts and puts a warning if the number is non-zero on the Security Audit page. (check-in: [83db2443] user: drh branch: trunk, size: 25201)
2020-03-12
18:17
[f3413184] part of check-in [8059b9ca] Repurposed the check for "d" cap in the Security Audit page to warn that it should be removed from use. It checks the anonymous, developer, and reader users for it only, not any one-off uses. It also doesn't check Setup or Admin, but presumably whatever we reuse "d" for in the future will be granted to them by default. (check-in: [8059b9ca] user: wyoung branch: eradicate-d-cap, size: 24539)
2020-02-27
19:16
[ea45c622] part of check-in [0c374456] More information on Setup and in Security-Audit to help admins configure Public Pages with the correct capabilities. (check-in: [0c374456] user: drh branch: trunk, size: 24228)
2020-02-26
14:28
[3c00ffa5] part of check-in [14c81d9d] Put the Content-Security-Policy in the HTTP reply header in addition to the HTML header. That way, the CSP is enforced even for raw HTML pages or if the skin provides an HTML header that omits the CSP. Add a new "default-csp" setting included with the skin that allows an administrator to change the CSP to allow for CDNs and such. (check-in: [14c81d9d] user: drh branch: trunk, size: 23928)
2020-02-12
17:03
[14c28365] part of check-in [5c0bb964] Provide a scary warning about the use of TH1 docs on the Security Audit page. (check-in: [5c0bb964] user: drh branch: trunk, size: 24425)
2019-09-19
14:14
[74f8651e] part of check-in [eb804dc6] In the db_get(N,D) function, if N is setting, then always leave D as NULL so that we use the published default value for that setting. (check-in: [eb804dc6] user: drh branch: trunk, size: 23005)
2019-08-20
02:09
[ad815d34] part of check-in [3243a6c1] Fix a compiler warning in the security-audit page. (check-in: [3243a6c1] user: drh branch: trunk, size: 23008)
2019-08-19
17:18
[2e3920bc] part of check-in [9cf90a4f] Have the security-audit page analyze and display the content security policy. (check-in: [9cf90a4f] user: drh branch: trunk, size: 23001)
2019-08-04
20:23
[b023cd11] part of check-in [a3bc6552] Improvements to the Security-Audit page - mostly in providing additional information about the files in the CGI extension folder. (check-in: [a3bc6552] user: drh branch: trunk, size: 20485)
2019-08-02
13:34
[2a119e59] part of check-in [e2cad541] Update the security audit to report when extension CGI is available. (check-in: [e2cad541] user: drh branch: trunk, size: 20154)
2019-05-11
00:17
[30e55791] part of check-in [530963e0] Updates to the change log, as well as other minor documentation improvements. (check-in: [530963e0] user: drh branch: trunk, size: 20040)
2019-03-25
06:18
[a0e28b03] part of check-in [1614c9b5] Typo fix, reported in the forum: administator. (check-in: [1614c9b5] user: stephan branch: trunk, size: 19835)
2019-01-22
02:52
[229c0f40] part of check-in [37918a1f] Updated the Security-Audit page to better handle the change from the old https-login setting to the new redirect-to-https setting. (check-in: [37918a1f] user: wyoung branch: trunk, size: 19834)
2018-11-28
18:42
[4950cbf3] part of check-in [42c3364f] Found several more pages protected with "!g.perm.Setup && !g.perm.Admin" guards: changed them all to "!g.perm.Admin" only for the same reason as [558952c8]. (check-in: [42c3364f] user: wyoung branch: trunk, size: 19670)
18:34
[3df788aa] part of check-in [558952c8] The /secaudit0 page was checking for both Admin and Setup capabilities, which means it was only accessible to users with Setup users, since that is the only class that can have both capabilities. Since it's documented as being available to Admin users, changed the logic to allow access to Admin *OR* Setup users. (check-in: [558952c8] user: wyoung branch: trunk, size: 19721)
2018-10-17
23:53
[d3a6b6a0] part of check-in [724ccc46] Enhance the security-audit page to detect insecurities resulting from having self-registration enabled. This is a work in progress. More testing and more checks are needed in this area. (check-in: [724ccc46] user: drh branch: trunk, size: 19721)
2018-08-30
21:19
[e84908c0] part of check-in [cfbbc537] Change the name of the "email.c" source file into "alerts.c". Make corresponding changes to various interfaces. (check-in: [cfbbc537] user: drh branch: refactor-alerts, size: 18137)
2018-08-17
12:32
[a8ba14e5] part of check-in [397d23c1] Improvements to privilege processing and the "Security Audit" page /secaudit0. (check-in: [397d23c1] user: drh branch: trunk, size: 18137)
2018-07-31
04:18
[fc83d40e] part of check-in [a9e67fe6] Add the email alerts configuration summary to the security audit page. (check-in: [a9e67fe6] user: drh branch: forum-v2, size: 18081)
2018-07-30
21:08
[631dd753] part of check-in [39d5e675] Add the user capability summary to the security audit. (check-in: [39d5e675] user: drh branch: forum-v2, size: 17881)
19:14
[a29dffbd] part of check-in [8a28a37c] Break out the processing of capability strings into a separate source file. Add new SQL functions: capunion() and fullcap(). Only send email notifications to users who have appropriate capabilities. (check-in: [8a28a37c] user: drh branch: forum-v2, size: 17819)
16:01
[64df87e3] part of check-in [5d6fc967] Add new security-audit checks for forum and "Announce" privileges. (check-in: [5d6fc967] user: drh branch: forum-v2, size: 17836)
2018-07-19
15:52
[3366c625] part of check-in [aa17077e] Backoffice only runs for successful webpage that have the database open. Add "refresh" and "Show All" buttons on the /errorlog page. (check-in: [aa17077e] user: drh branch: trunk, size: 16526)
2018-07-15
18:31
[f2b10296] part of check-in [06d4751a] Improvements to error logging. Only log fossil_panic() calls, not fossil_fatal() calls. (check-in: [06d4751a] user: drh branch: trunk, size: 16339)
2018-07-12
14:55
[de86da99] part of check-in [c931dd7b] Add "Download", "Test", and "Truncate" submenu buttons on the /errorlog page. Show a confirmation page prior to truncating the error log. Improvements to the /test-warning page, including a link back to /errorlog through the submenu. (check-in: [c931dd7b] user: drh branch: trunk, size: 16339)
14:09
[30a24a06] part of check-in [8e3bad04] Add "Truncate" and "Download" buttons to the /errorlog display. Provide a link to the error log on the /setup page. (check-in: [8e3bad04] user: drh branch: trunk, size: 16053)
2018-06-29
15:29
[7b7d6a51] part of check-in [fe5e9de1] Less severe warning on the security audit if the server error log is disabled. (check-in: [fe5e9de1] user: drh branch: trunk, size: 15635)
2018-06-26
11:54
[c9b102c9] part of check-in [6a7d2ad8] Fix compiler warnings on windows. Fix the file_directory_size() function so that it works on windows. (check-in: [6a7d2ad8] user: drh branch: trunk, size: 15764)
2018-06-25
16:19
[479c457a] part of check-in [69d332ff] Fix harmless compiler warnings. Also remove the "ago" text from the "Last Change" column in the subscriber list webpage. (check-in: [69d332ff] user: drh branch: trunk, size: 15764)
13:47
[09c62594] part of check-in [a9e74eb3] Add information about the server error log to the security audit page. Provide the new /errorlog page for viewing the server logfile online. (check-in: [a9e74eb3] user: drh branch: trunk, size: 15776)
2017-12-07
11:33
[39296d08] part of check-in [4d1ac686] Spelling typos from Debian (check-in: [4d1ac686] user: drh branch: trunk, size: 13313)
2017-07-12
18:55
[7258617b] part of check-in [7c0b9714] Remove an unused variable from the security audit webpage. (check-in: [7c0b9714] user: drh branch: trunk, size: 13312)
03:02
[ffb80cbb] part of check-in [35f712d4] Fix a typo on the security audit webpage. (check-in: [35f712d4] user: drh branch: trunk, size: 13324)
2017-07-03
09:31
[4990fcdc] part of check-in [86d4754a] Update changes.wiki. Some eol-spacing (check-in: [86d4754a] user: jan.nijtmans branch: trunk, size: 13326)
2017-07-01
22:43
[284d2e62] part of check-in [5c999558] Fix a minor problem with Write-Unver reporting on the security audit report. (check-in: [5c999558] user: drh branch: trunk, size: 13340)
22:17
[84b96ba7] part of check-in [564e42df] More checking of user permissions on the Security Audit page. (check-in: [564e42df] user: drh branch: trunk, size: 13373)
00:52
[bbdd8771] part of check-in [752365e7] Improved wording on some of the security-audit warnings. (check-in: [752365e7] user: drh branch: trunk, size: 11630)
00:51
[af02cf1a] part of check-in [4253b1de] More security-audit checks. (check-in: [4253b1de] user: drh branch: trunk, size: 11693)
2017-06-30
18:28
[e3453d85] part of check-in [6c543c03] New security audit checks. (check-in: [6c543c03] user: drh branch: trunk, size: 10426)
16:13
[c0ab1b92] part of check-in [c12ffe2c] Many new permission checks for the security-audit page. (check-in: [c12ffe2c] user: drh branch: security-audit, size: 8033)
15:17
[3944762c] part of check-in [7f29e264] Start the security audit by checking to see if the repos it public or private. (check-in: [7f29e264] user: drh branch: security-audit, size: 4885)
13:36
[75463054] part of check-in [c5504029] Add a stub for the Security Audit page. (check-in: [c5504029] user: drh branch: security-audit, size: 1110) Added