Changes to ticket ce33b14f8f

By anonymous on 2009-10-09 05:11:36. See also: artifact content, and ticket history

1. Change comment to "Server send empty response for non authorative user's 'configure pull' command. I create three patch variations. (I think first version is simple and good.) 1. when 'reqconfig' card received, grant 'nobody' capabilities to non-authoratives. (like 'clone' card)<br>xfer.c / page_xfer()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900 +++ xfer-1.c 2009-10-09 09:11:39.000000000 +0900 @@ -747,6 +747,7 @@ if( blob_eq(&xfer.aToken[0], "reqconfig") && xfer.nToken==2 ){ + login_check_credentials(); if( g.okRead ){ char *zName = blob_str(&xfer.aToken[1]); if( configure_is_exportable(zName) ){ </verbatim></blockquote> Currently, 'check_login()' function defined in 'xfer.c' grants no capabilities to unauthoratives. 2. when 'login' card received, grant 'nobody' capabilities if authorization failed.<br>(This patch also accept non-registered users and registered but wrong password specified as 'nobody')<br>This patch always need 'login' card.<br>xfer.c / check_login()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900 +++ xfer-2.c 2009-10-09 09:13:16.000000000 +0900 @@ -421,6 +421,8 @@ if( rc==0 ){ /* If the login was successful. */ login_set_anon_nobody_capabilities(); + }else{ + login_check_credentials(); } } </verbatim></blockquote> 3. when 'login' card received, grant 'anonymous' capabilities to 'anonymous' with empty password.<br>(This patch deny non-registered users and registered but wrong password specified.<br>User who not registered need 'anonymous@' for 'configure pull' command URL parameter.)<br>NG: <tt>fossil configure pull skin http://example.net</tt><br>OK: <tt>fossil configure pull skin http://anonoymous@example.net</tt><br>This patch always need 'login' card.<br>xfer.c / check_login()<blockquote><verbatim>--- ../Fossil-ca08c1d1b3/src/xfer.c 2009-09-24 01:54:53.000000000 +0900 +++ xfer-3.c 2009-10-09 09:14:21.000000000 +0900 @@ -391,14 +391,16 @@ db_prepare(&q, "SELECT pw, cap, uid FROM user" " WHERE login=%Q" - " AND login NOT IN ('anonymous','nobody','developer','reader')" + " AND login NOT IN ('nobody','developer','reader')" " AND length(pw)>0", zLogin ); if( db_step(&q)==SQLITE_ROW ){ Blob pw, combined, hash; blob_zero(&pw); - db_ephemeral_blob(&q, 0, &pw); + if( strcmp(zLogin,"anonymous")!=0 ){ + db_ephemeral_blob(&q, 0, &pw); + } blob_zero(&combined); blob_copy(&combined, pNonce); blob_append(&combined, blob_buffer(&pw), blob_size(&pw)); </verbatim></blockquote>"
2. Change foundin to "ca08c1d1b3"
3. Change private_contact to "6b7d8d19b3584e0b0b59ee79d0f778ecd9f60111"
4. Change severity to "Minor"
5. Change status to "Open"
6. Change title to "'configure pull' command recevie empty response."
7. Change type to "Incident"