Server send empty response for non authorative user's 'configure pull' command.
I create three patch variations. (I think first version is simple and good.)
1. when 'reqconfig' card received, grant 'nobody' capabilities to non-authoratives. (like 'clone' card)
xfer.c / page_xfer()
--- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900
+++ xfer-1.c 2009-10-09 09:11:39.000000000 +0900
@@ -747,6 +747,7 @@
if( blob_eq(&xfer.aToken[0], "reqconfig")
&& xfer.nToken==2
){
+ login_check_credentials();
if( g.okRead ){
char *zName = blob_str(&xfer.aToken[1]);
if( configure_is_exportable(zName) ){
Currently, 'check_login()' function defined in 'xfer.c' grants
no capabilities to unauthoratives.
2. when 'login' card received, grant 'nobody' capabilities if authorization failed.
(This patch also accept non-registered users and registered but wrong password specified as 'nobody')
This patch always need 'login' card.
xfer.c / check_login()
--- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900
+++ xfer-2.c 2009-10-09 09:13:16.000000000 +0900
@@ -421,6 +421,8 @@
if( rc==0 ){
/* If the login was successful. */
login_set_anon_nobody_capabilities();
+ }else{
+ login_check_credentials();
}
}
3. when 'login' card received, grant 'anonymous' capabilities to 'anonymous' with empty password.
(This patch deny non-registered users and registered but wrong password specified.
User who not registered need 'anonymous@' for 'configure pull' command URL parameter.)
NG: fossil configure pull skin http://example.net
OK: fossil configure pull skin http://anonoymous@example.net
This patch always need 'login' card.
xfer.c / check_login()
--- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900
+++ xfer-3.c 2009-10-09 09:14:21.000000000 +0900
@@ -391,14 +391,16 @@
db_prepare(&q,
"SELECT pw, cap, uid FROM user"
" WHERE login=%Q"
- " AND login NOT IN ('anonymous','nobody','developer','reader')"
+ " AND login NOT IN ('nobody','developer','reader')"
" AND length(pw)>0",
zLogin
);
if( db_step(&q)==SQLITE_ROW ){
Blob pw, combined, hash;
blob_zero(&pw);
- db_ephemeral_blob(&q, 0, &pw);
+ if( strcmp(zLogin,"anonymous")!=0 ){
+ db_ephemeral_blob(&q, 0, &pw);
+ }
blob_zero(&combined);
blob_copy(&combined, pNonce);
blob_append(&combined, blob_buffer(&pw), blob_size(&pw));
anonymous added on 2011-02-18 19:52:23 UTC:
This would be nice to see. At present, if you aren't logged in via remote-url, fs config pull all silently fails unless you're really observant and notice there weren't any received cards. This took me a few minutes of head scratching to figure out. I'm not sure the patch is the right way to solve this (it could be), but I'm glad I'm not the only one who's run in to this oddity.
% fs config pull all
Bytes Cards Artifacts Deltas
Sent: 660 26 0 0
waiting for server...Total network traffic: 428 bytes sent, 0 bytes received
% fs remote-url
http://127.0.0.1:9023/
% fs remote-url http://sean@127.0.0.1:9023/
password for sean:
http://sean@127.0.0.1:9023/
% fs config pull all
Bytes Cards Artifacts Deltas
Sent: 660 26 0 0
Received: 55201 15 0 0
Total network traffic: 490 bytes sent, 39537 bytes received