Fossil

Check-in [c71e0968]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Additional restrictions on the names of files served by "fossil server DIRECTORY": (1) only alphanumerics, "_", "-", "/", and "." characters are allowed in the pathname. (2) A "-" may not occur after a "/". (3) Every "." must be surrounded on both sides alphanumerics. This check-in also updates the changelog for the 1.25 release.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: c71e096800109b95711c3586f8ebf380226751b8
User & Date: drh 2012-12-01 04:37:35
Context
2012-12-01
04:49
Update the documentation on the "fossil http" and "fossil server" commands to talk about restrictions on filenames and to describe how static content files can be returned. check-in: 99ab9fb4 user: drh tags: trunk
04:37
Additional restrictions on the names of files served by "fossil server DIRECTORY": (1) only alphanumerics, "_", "-", "/", and "." characters are allowed in the pathname. (2) A "-" may not occur after a "/". (3) Every "." must be surrounded on both sides alphanumerics. This check-in also updates the changelog for the 1.25 release. check-in: c71e0968 user: drh tags: trunk
04:10
Additional webserver security: Do not allow the "fossil server" command to return any static content with an unrecognized suffix. check-in: 4a5e972e user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/main.c.

1280
1281
1282
1283
1284
1285
1286
1287
1288


1289

1290
1291
1292
1293
1294
1295





1296


1297

1298
1299
1300

1301
1302
1303
1304
1305
1306
1307

    i = zPathInfo[0]!=0;
    while( 1 ){
      while( zPathInfo[i] && zPathInfo[i]!='/' ){ i++; }
      zRepo = zToFree = mprintf("%s%.*s.fossil",g.zRepositoryName,i,zPathInfo);

      /* To avoid mischief, make sure the repository basename contains no
      ** characters other than alphanumerics, "-", "/", "_", and "." beside
      ** "/" or ".".


      */

      for(j=strlen(g.zRepositoryName)+1, k=0; zRepo[j] && k<i-1; j++, k++){
        char c = zRepo[j];
        if( !fossil_isalnum(c) && c!='-' && c!='/'
         && (c!='.' || zRepo[j+1]=='/' || zRepo[j-1]=='/' || zRepo[j+1]=='.')
        ){
          zRepo[j] = '_';





        }


      }

      if( zRepo[0]=='/' && zRepo[1]=='/' ){ zRepo++; j--; }

      szFile = file_size(zRepo);

      if( szFile<0 ){
        const char *zMimetype;
        assert( fossil_strcmp(&zRepo[j], ".fossil")==0 );
        zRepo[j] = 0;
        if( zPathInfo[i]=='/' && file_isdir(zRepo)==1 ){
          fossil_free(zToFree);
          i++;







|
|
>
>

>


|
<
<
<
>
>
>
>
>

>
>

>
|
<
|
>







1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295



1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306

1307
1308
1309
1310
1311
1312
1313
1314
1315

    i = zPathInfo[0]!=0;
    while( 1 ){
      while( zPathInfo[i] && zPathInfo[i]!='/' ){ i++; }
      zRepo = zToFree = mprintf("%s%.*s.fossil",g.zRepositoryName,i,zPathInfo);

      /* To avoid mischief, make sure the repository basename contains no
      ** characters other than alphanumerics, "/", "_", "-", and ".", and
      ** that "-" never occurs immediately after a "/" and that "." is always
      ** surrounded by two alphanumerics.  Any character that does not 
      ** satisfy these constraints is converted into "_".
      */
      szFile = 0;
      for(j=strlen(g.zRepositoryName)+1, k=0; zRepo[j] && k<i-1; j++, k++){
        char c = zRepo[j];
        if( fossil_isalnum(c) ) continue;



        if( c=='/' ) continue;
        if( c=='_' ) continue;
        if( c=='-' && zRepo[j-1]!='/' ) continue;
        if( c=='.' && fossil_isalnum(zRepo[j-1]) && fossil_isalnum(zRepo[j+1])){
          continue;
        }
        szFile = 1;
        break;
      }
      if( szFile==0 ){
        if( zRepo[0]=='/' && zRepo[1]=='/' ){ zRepo++; j--; }

        szFile = file_size(zRepo);
      }
      if( szFile<0 ){
        const char *zMimetype;
        assert( fossil_strcmp(&zRepo[j], ".fossil")==0 );
        zRepo[j] = 0;
        if( zPathInfo[i]=='/' && file_isdir(zRepo)==1 ){
          fossil_free(zToFree);
          i++;

Changes to www/changes.wiki.

26
27
28
29
30
31
32
33



34
35
36
37
38
39
40
..
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
     on embedded documentation.
  *  The check-in comment editor on windows now defaults to NotePad.exe.
  *  Correctly deal with BOMs in check-in comments.  Also attempt to convert 
     check-in comments to UTF8 from other encodings.
  *  Allow the deletion of multiple stash entries using multiple arguments
     to the "fossil stash rm" command.
  *  Enhance the "fossil server DIRECTORY" command to serve static content
     files contained in DIRECTORY.



  *  Allow the "fossil ui" command to specify a directory as long as the
     the --notfound option is used.
  *  Add a configuration option that causes timeline messages to be rendered
     as text/x-fossil-plain (which is the same as text/plain except that
     hyperlinks inside of <nowiki>[...]</nowiki> are decorated.)
  *  Only decorate <nowiki>[...]</nowiki> in check-in comments and tickets
     if the contented text really is a valid hyperlink target.
................................................................................
     a delta loop when a file changes from its original state, through two
     or more intermediate states, and back to the original state, all within
     a single sync.
  *  Show much less output during a sync operation, unless the --verbose
     option is used.
  *  Set the action= attribute of &lt;form&gt; elements using javascript,
     as an addition defense against spam-bots.
  *  Disallow invalid UTF8 characters (such as overlength characters or
     characters in the surrogate pair range) in filename.
  *  Judge the UserAgent strings issued by the NetSurf webbrowser to be
     coming from a human, not from a bot.
  *  Add the zlib sources to the Fossil source tree (under compat/zlib) and
     use those sources when compiling on (windows) systems that do not have
     a zlib library installed by default.
  *  Prompt the user with the option to convert non-UTF8 files into UTF8
     when committing.







|
>
>
>







 







|
|







26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
..
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
     on embedded documentation.
  *  The check-in comment editor on windows now defaults to NotePad.exe.
  *  Correctly deal with BOMs in check-in comments.  Also attempt to convert 
     check-in comments to UTF8 from other encodings.
  *  Allow the deletion of multiple stash entries using multiple arguments
     to the "fossil stash rm" command.
  *  Enhance the "fossil server DIRECTORY" command to serve static content
     files contained in DIRECTORY.  For security, only files with a 
     recognized suffix (such as *.html, *.jpg, *.txt, etc) will be delivered
     as static content, and *.fossil files are not on the list of recognized
     suffixes.  There are additional restrictions on the names of the files.
  *  Allow the "fossil ui" command to specify a directory as long as the
     the --notfound option is used.
  *  Add a configuration option that causes timeline messages to be rendered
     as text/x-fossil-plain (which is the same as text/plain except that
     hyperlinks inside of <nowiki>[...]</nowiki> are decorated.)
  *  Only decorate <nowiki>[...]</nowiki> in check-in comments and tickets
     if the contented text really is a valid hyperlink target.
................................................................................
     a delta loop when a file changes from its original state, through two
     or more intermediate states, and back to the original state, all within
     a single sync.
  *  Show much less output during a sync operation, unless the --verbose
     option is used.
  *  Set the action= attribute of &lt;form&gt; elements using javascript,
     as an addition defense against spam-bots.
  *  Disallow invalid UTF8 characters (such as characters in the surrogate
     pair range) in filenames.
  *  Judge the UserAgent strings issued by the NetSurf webbrowser to be
     coming from a human, not from a bot.
  *  Add the zlib sources to the Fossil source tree (under compat/zlib) and
     use those sources when compiling on (windows) systems that do not have
     a zlib library installed by default.
  *  Prompt the user with the option to convert non-UTF8 files into UTF8
     when committing.