Overview
| SHA1 Hash: | bbb8ae7ebf745fa28b7a280e70bc60e2c2670cab |
|---|---|
| Date: | 2009-09-15 18:44:51 |
| User: | drh |
| Comment: | Make it harder to misconfigure the user accounts in a way that might give people greater access than intended. |
| Timelines: | ancestors | descendants | both | trunk |
| Other Links: | files | ZIP archive | manifest |
Tags And Properties
- branch=trunk inherited from [a28c83647d]
- sym-trunk inherited from [a28c83647d]
Changes
[hide diffs]Modified src/db.c from [6b2ea97719] to [cb27c96070].
@@ -932,11 +932,11 @@
"VALUES(%Q,lower(hex(randomblob(3))),'s','')", zUser
);
if( !setupUserOnly ){
db_multi_exec(
"INSERT INTO user(login,pw,cap,info)"
- " VALUES('anonymous','anonymous','ghmncz','Anon');"
+ " VALUES('anonymous',hex(randomblob(8)),'ghmncz','Anon');"
"INSERT INTO user(login,pw,cap,info)"
" VALUES('nobody','','jor','Nobody');"
"INSERT INTO user(login,pw,cap,info)"
" VALUES('developer','','dei','Dev');"
"INSERT INTO user(login,pw,cap,info)"
Modified src/login.c from [1773187215] to [24e3ed3b13].
@@ -179,12 +179,16 @@
redirect_to_g();
}
if( zUsername!=0 && zPasswd!=0 && zPasswd[0]!=0 ){
uid = db_int(0,
"SELECT uid FROM user"
- " WHERE login=%Q AND pw=%Q", zUsername, zPasswd);
- if( uid<=0 || strcmp(zUsername,"nobody")==0 ){
+ " WHERE login=%Q"
+ " AND login NOT IN ('anonymous','nobody','developer','reader')"
+ " AND pw=%Q",
+ zUsername, zPasswd
+ );
+ if( uid<=0 ){
sleep(1);
zErrMsg =
@ <p><font color="red">
@ You entered an unknown user or an incorrect password.
@ </font></p>
Modified src/xfer.c from [5bb8ce2dae] to [d0ba2feaa9].
@@ -387,10 +387,11 @@
int rc = -1;
db_prepare(&q,
"SELECT pw, cap, uid FROM user"
" WHERE login=%B"
+ " AND login NOT IN ('anonymous','nobody','developer','reader')"
" AND length(pw)>0",
pLogin
);
if( db_step(&q)==SQLITE_ROW ){
Blob pw, combined, hash;