Overview
| Artifact ID: | cf0d15704098422a3a256085aef1aaee0fcd7bd7 |
|---|---|
| Ticket: | c9e84b567178d755d216f095ca98da3a92d6a4cd
fossil treats anybody connecting from 127.0.0.1 as user with UID 1 |
| User & Date: | anonymous 2010-11-18 01:05:05 |
Changes
- comment changed to:
Even in server mode, fossil considers any user connecting from 127.0.0.1 to be super user. It seems like no policy mechanism is in effect whatsoever. This is especially troubling in case you are proxy-ing traffic from a web server (say lighttpd) to a fossil instance in server mode, where both programs run on the same machine. Also, when connecting to a fossil server over SSH and both SSHd and fossil run on the same machine, your connection is considered to originate from 127.0.0.1. No policy can be applied on such users and anybody connecting in this way is treated as super user. This not only affects fossil in server mode but also fossil running as CGI executed by web server, if the web server and SSHd are on the same machine.
- foundin changed to: "9c31866404"
- private_contact changed to: "68272c6eae73c7078fef2abf11458ad864fc0aad"
- severity changed to: "Severe"
- status changed to: "Open"
- title changed to:
fossil treats anybody connecting from 127.0.0.1 as user with UID 1
- type changed to: "Feature_Request"