D 2010-11-18T01:05:05
J comment Even\sin\sserver\smode,\sfossil\sconsiders\sany\suser\sconnecting\sfrom\s127.0.0.1\sto\sbe\ssuper\suser.\sIt\sseems\slike\sno\spolicy\smechanism\sis\sin\seffect\swhatsoever.\sThis\sis\sespecially\stroubling\sin\scase\syou\sare\sproxy-ing\straffic\sfrom\sa\sweb\sserver\s(say\slighttpd)\sto\sa\sfossil\sinstance\sin\sserver\smode,\swhere\sboth\sprograms\srun\son\sthe\ssame\smachine.\r\n\r\nAlso,\swhen\sconnecting\sto\sa\sfossil\sserver\sover\sSSH\sand\sboth\sSSHd\sand\sfossil\srun\son\sthe\ssame\smachine,\syour\sconnection\sis\sconsidered\sto\soriginate\sfrom\s127.0.0.1.\sNo\spolicy\scan\sbe\sapplied\son\ssuch\susers\sand\sanybody\sconnecting\sin\sthis\sway\sis\streated\sas\ssuper\suser.\r\nThis\snot\sonly\saffects\sfossil\sin\sserver\smode\sbut\salso\sfossil\srunning\sas\sCGI\sexecuted\sby\sweb\sserver,\sif\sthe\sweb\sserver\sand\sSSHd\sare\son\sthe\ssame\smachine.
J foundin 9c31866404
J private_contact 68272c6eae73c7078fef2abf11458ad864fc0aad
J severity Severe
J status Open
J title fossil\streats\sanybody\sconnecting\sfrom\s127.0.0.1\sas\suser\swith\sUID\s1
J type Feature_Request
K c9e84b567178d755d216f095ca98da3a92d6a4cd
U anonymous
Z 7db286aee81e1a3df6f816843061999b