View Ticket
Not logged in
HomeFilesLeavesTimelineBranchesTagsTicketsWikiLogin
History Timeline
Ticket UUID: ce33b14f8fa9a41679705502086ca5fdfb5d142f
Title: 'configure pull' command recevie empty response.
Status: Open Type: Incident
Severity: Minor Priority:
Subsystem: Resolution:
Last Modified: 2009-10-09 05:11:36
Version Found In: ca08c1d1b3
Description & Comments:
Server send empty response for non authorative user's 'configure pull' command.

I create three patch variations. (I think first version is simple and good.)

1. when 'reqconfig' card received, grant 'nobody' capabilities to non-authoratives. (like 'clone' card)
xfer.c / page_xfer()

--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
+++ xfer-1.c    2009-10-09 09:11:39.000000000 +0900
@@ -747,6 +747,7 @@
     if( blob_eq(&xfer.aToken[0], "reqconfig")
      && xfer.nToken==2
     ){
+      login_check_credentials();
       if( g.okRead ){
         char *zName = blob_str(&xfer.aToken[1]);
         if( configure_is_exportable(zName) ){
Currently, 'check_login()' function defined in 'xfer.c' grants no capabilities to unauthoratives.

2. when 'login' card received, grant 'nobody' capabilities if authorization failed.
(This patch also accept non-registered users and registered but wrong password specified as 'nobody')
This patch always need 'login' card.
xfer.c / check_login()

--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
+++ xfer-2.c    2009-10-09 09:13:16.000000000 +0900
@@ -421,6 +421,8 @@
   if( rc==0 ){
     /* If the login was successful. */
     login_set_anon_nobody_capabilities();
+  }else{
+    login_check_credentials();
   }
 }

3. when 'login' card received, grant 'anonymous' capabilities to 'anonymous' with empty password.
(This patch deny non-registered users and registered but wrong password specified.
User who not registered need 'anonymous@' for 'configure pull' command URL parameter.)
NG: fossil configure pull skin http://example.net
OK: fossil configure pull skin http://anonoymous@example.net
This patch always need 'login' card.
xfer.c / check_login()

--- ../Fossil-ca08c1d1b3/src/xfer.c      2009-09-24 01:54:53.000000000 +0900
+++ xfer-3.c    2009-10-09 09:14:21.000000000 +0900
@@ -391,14 +391,16 @@
   db_prepare(&q,
      "SELECT pw, cap, uid FROM user"
      " WHERE login=%Q"
-     "   AND login NOT IN ('anonymous','nobody','developer','reader')"
+     "   AND login NOT IN ('nobody','developer','reader')"
      "   AND length(pw)>0",
      zLogin
   );
   if( db_step(&q)==SQLITE_ROW ){
     Blob pw, combined, hash;
     blob_zero(&pw);
-    db_ephemeral_blob(&q, 0, &pw);
+    if( strcmp(zLogin,"anonymous")!=0 ){
+      db_ephemeral_blob(&q, 0, &pw);
+    }
     blob_zero(&combined);
     blob_copy(&combined, pNonce);
     blob_append(&combined, blob_buffer(&pw), blob_size(&pw));


Fossil version [c0211010a1] 2009-12-13 01:31:36