Ticket Change Details
Not logged in
Overview

Artifact ID: 19319ee22a88a56f25514aeb7fd667d6b7af8ec4
Ticket: ce33b14f8fa9a41679705502086ca5fdfb5d142f
'configure pull' command recevie empty response.
User & Date: anonymous 2009-10-09 05:11:36
Changes

  1. comment changed to:
    Server send empty response for non authorative user's 'configure pull' command.
    
    I create three patch variations. (I think first version is simple and good.)
    
    1. when 'reqconfig' card received, grant 'nobody' capabilities to non-authoratives. (like 'clone' card)<br>xfer.c / page_xfer()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
    +++ xfer-1.c    2009-10-09 09:11:39.000000000 +0900
    @@ -747,6 +747,7 @@
         if( blob_eq(&xfer.aToken[0], "reqconfig")
          && xfer.nToken==2
         ){
    +      login_check_credentials();
           if( g.okRead ){
             char *zName = blob_str(&xfer.aToken[1]);
             if( configure_is_exportable(zName) ){
    </verbatim></blockquote>
    Currently, 'check_login()' function defined in 'xfer.c' grants
    no capabilities to unauthoratives.
    
    2. when 'login' card received, grant 'nobody' capabilities if authorization failed.<br>(This patch also accept non-registered users and registered but wrong password specified as 'nobody')<br>This patch always need 'login' card.<br>xfer.c / check_login()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
    +++ xfer-2.c    2009-10-09 09:13:16.000000000 +0900
    @@ -421,6 +421,8 @@
       if( rc==0 ){
         /* If the login was successful. */
         login_set_anon_nobody_capabilities();
    +  }else{
    +    login_check_credentials();
       }
     }
    </verbatim></blockquote>
    
    3. when 'login' card received, grant 'anonymous' capabilities to 'anonymous' with empty password.<br>(This patch deny non-registered users and registered but wrong password specified.<br>User who not registered need 'anonymous@' for 'configure pull' command URL parameter.)<br>NG: <tt>fossil configure pull skin http://example.net</tt><br>OK: <tt>fossil configure pull skin http://anonoymous@example.net</tt><br>This patch always need 'login' card.<br>xfer.c / check_login()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
    +++ xfer-3.c    2009-10-09 09:14:21.000000000 +0900
    @@ -391,14 +391,16 @@
       db_prepare(&q,
          "SELECT pw, cap, uid FROM user"
          " WHERE login=%Q"
    -     "   AND login NOT IN ('anonymous','nobody','developer','reader')"
    +     "   AND login NOT IN ('nobody','developer','reader')"
          "   AND length(pw)>0",
          zLogin
       );
       if( db_step(&q)==SQLITE_ROW ){
         Blob pw, combined, hash;
         blob_zero(&pw);
    -    db_ephemeral_blob(&q, 0, &pw);
    +    if( strcmp(zLogin,"anonymous")!=0 ){
    +      db_ephemeral_blob(&q, 0, &pw);
    +    }
         blob_zero(&combined);
         blob_copy(&combined, pNonce);
         blob_append(&combined, blob_buffer(&pw), blob_size(&pw));
    </verbatim></blockquote>
    
  2. foundin changed to: "ca08c1d1b3"
  3. private_contact changed to: "6b7d8d19b3584e0b0b59ee79d0f778ecd9f60111"
  4. severity changed to: "Minor"
  5. status changed to: "Open"
  6. title changed to: "'configure pull' command recevie empty response."
  7. type changed to: "Incident"