Fossil: Ticket Change Details

Overview

Artifact ID:	19319ee22a88a56f25514aeb7fd667d6b7af8ec4
Ticket:	ce33b14f8fa9a41679705502086ca5fdfb5d142f 'configure pull' command recevie empty response.
User & Date:	anonymous 2009-10-09 05:11:36

Changes

comment changed to:

Server send empty response for non authorative user's 'configure pull' command.

I create three patch variations. (I think first version is simple and good.)

1. when 'reqconfig' card received, grant 'nobody' capabilities to non-authoratives. (like 'clone' card)<br>xfer.c / page_xfer()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
+++ xfer-1.c    2009-10-09 09:11:39.000000000 +0900
@@ -747,6 +747,7 @@
     if( blob_eq(&xfer.aToken[0], "reqconfig")
      && xfer.nToken==2
     ){
+      login_check_credentials();
       if( g.okRead ){
         char *zName = blob_str(&xfer.aToken[1]);
         if( configure_is_exportable(zName) ){
</verbatim></blockquote>
Currently, 'check_login()' function defined in 'xfer.c' grants
no capabilities to unauthoratives.

2. when 'login' card received, grant 'nobody' capabilities if authorization failed.<br>(This patch also accept non-registered users and registered but wrong password specified as 'nobody')<br>This patch always need 'login' card.<br>xfer.c / check_login()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
+++ xfer-2.c    2009-10-09 09:13:16.000000000 +0900
@@ -421,6 +421,8 @@
   if( rc==0 ){
     /* If the login was successful. */
     login_set_anon_nobody_capabilities();
+  }else{
+    login_check_credentials();
   }
 }
</verbatim></blockquote>

3. when 'login' card received, grant 'anonymous' capabilities to 'anonymous' with empty password.<br>(This patch deny non-registered users and registered but wrong password specified.<br>User who not registered need 'anonymous@' for 'configure pull' command URL parameter.)<br>NG: <tt>fossil configure pull skin http://example.net</tt><br>OK: <tt>fossil configure pull skin http://anonoymous@example.net</tt><br>This patch always need 'login' card.<br>xfer.c / check_login()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
+++ xfer-3.c    2009-10-09 09:14:21.000000000 +0900
@@ -391,14 +391,16 @@
   db_prepare(&q,
      "SELECT pw, cap, uid FROM user"
      " WHERE login=%Q"
-     "   AND login NOT IN ('anonymous','nobody','developer','reader')"
+     "   AND login NOT IN ('nobody','developer','reader')"
      "   AND length(pw)>0",
      zLogin
   );
   if( db_step(&q)==SQLITE_ROW ){
     Blob pw, combined, hash;
     blob_zero(&pw);
-    db_ephemeral_blob(&q, 0, &pw);
+    if( strcmp(zLogin,"anonymous")!=0 ){
+      db_ephemeral_blob(&q, 0, &pw);
+    }
     blob_zero(&combined);
     blob_copy(&combined, pNonce);
     blob_append(&combined, blob_buffer(&pw), blob_size(&pw));
</verbatim></blockquote>

foundin changed to: "ca08c1d1b3"
private_contact changed to: "6b7d8d19b3584e0b0b59ee79d0f778ecd9f60111"
severity changed to: "Minor"
status changed to: "Open"
title changed to: "'configure pull' command recevie empty response."
type changed to: "Incident"