Artifact Content
Not logged in
HomeFilesLeavesTimelineBranchesTagsTicketsWikiLogin
Download Hex

Artifact 19319ee22a88a56f25514aeb7fd667d6b7af8ec4

Ticket change [19319ee22a] - New ticket ce33b14f8f 'configure pull' command recevie empty response.. by anonymous on 2009-10-09 05:11:36. 
D 2009-10-09T05:11:36
J comment Server\ssend\sempty\sresponse\sfor\snon\sauthorative\suser's\s'configure\spull'\scommand.\r\n\r\nI\screate\sthree\spatch\svariations.\s(I\sthink\sfirst\sversion\sis\ssimple\sand\sgood.)\r\n\r\n1.\swhen\s'reqconfig'\scard\sreceived,\sgrant\s'nobody'\scapabilities\sto\snon-authoratives.\s(like\s'clone'\scard)<br>xfer.c\s/\spage_xfer()<blockquote><verbatim>---\s../Fossil-ca08c1d1b3/src/xfer.c\s\s\s\s\s\s2009-09-24\s01:54:53.000000000\s+0900\r\n+++\sxfer-1.c\s\s\s\s2009-10-09\s09:11:39.000000000\s+0900\r\n@@\s-747,6\s+747,7\s@@\r\n\s\s\s\s\sif(\sblob_eq(&xfer.aToken[0],\s"reqconfig")\r\n\s\s\s\s\s\s&&\sxfer.nToken==2\r\n\s\s\s\s\s){\r\n+\s\s\s\s\s\slogin_check_credentials();\r\n\s\s\s\s\s\s\sif(\sg.okRead\s){\r\n\s\s\s\s\s\s\s\s\schar\s*zName\s=\sblob_str(&xfer.aToken[1]);\r\n\s\s\s\s\s\s\s\s\sif(\sconfigure_is_exportable(zName)\s){\r\n</verbatim></blockquote>\r\nCurrently,\s'check_login()'\sfunction\sdefined\sin\s'xfer.c'\sgrants\r\nno\scapabilities\sto\sunauthoratives.\r\n\r\n2.\swhen\s'login'\scard\sreceived,\sgrant\s'nobody'\scapabilities\sif\sauthorization\sfailed.<br>(This\spatch\salso\saccept\snon-registered\susers\sand\sregistered\sbut\swrong\spassword\sspecified\sas\s'nobody')<br>This\spatch\salways\sneed\s'login'\scard.<br>xfer.c\s/\scheck_login()<blockquote><verbatim>---\s../Fossil-ca08c1d1b3/src/xfer.c\s\s\s\s\s\s2009-09-24\s01:54:53.000000000\s+0900\r\n+++\sxfer-2.c\s\s\s\s2009-10-09\s09:13:16.000000000\s+0900\r\n@@\s-421,6\s+421,8\s@@\r\n\s\s\sif(\src==0\s){\r\n\s\s\s\s\s/*\sIf\sthe\slogin\swas\ssuccessful.\s*/\r\n\s\s\s\s\slogin_set_anon_nobody_capabilities();\r\n+\s\s}else{\r\n+\s\s\s\slogin_check_credentials();\r\n\s\s\s}\r\n\s}\r\n</verbatim></blockquote>\r\n\r\n3.\swhen\s'login'\scard\sreceived,\sgrant\s'anonymous'\scapabilities\sto\s'anonymous'\swith\sempty\spassword.<br>(This\spatch\sdeny\snon-registered\susers\sand\sregistered\sbut\swrong\spassword\sspecified.<br>User\swho\snot\sregistered\sneed\s'anonymous@'\sfor\s'configure\spull'\scommand\sURL\sparameter.)<br>NG:\s<tt>fossil\sconfigure\spull\sskin\shttp://example.net</tt><br>OK:\s<tt>fossil\sconfigure\spull\sskin\shttp://anonoymous@example.net</tt><br>This\spatch\salways\sneed\s'login'\scard.<br>xfer.c\s/\scheck_login()<blockquote><verbatim>---\s../Fossil-ca08c1d1b3/src/xfer.c\s\s\s\s\s\s2009-09-24\s01:54:53.000000000\s+0900\r\n+++\sxfer-3.c\s\s\s\s2009-10-09\s09:14:21.000000000\s+0900\r\n@@\s-391,14\s+391,16\s@@\r\n\s\s\sdb_prepare(&q,\r\n\s\s\s\s\s\s"SELECT\spw,\scap,\suid\sFROM\suser"\r\n\s\s\s\s\s\s"\sWHERE\slogin=%Q"\r\n-\s\s\s\s\s"\s\s\sAND\slogin\sNOT\sIN\s('anonymous','nobody','developer','reader')"\r\n+\s\s\s\s\s"\s\s\sAND\slogin\sNOT\sIN\s('nobody','developer','reader')"\r\n\s\s\s\s\s\s"\s\s\sAND\slength(pw)>0",\r\n\s\s\s\s\s\szLogin\r\n\s\s\s);\r\n\s\s\sif(\sdb_step(&q)==SQLITE_ROW\s){\r\n\s\s\s\s\sBlob\spw,\scombined,\shash;\r\n\s\s\s\s\sblob_zero(&pw);\r\n-\s\s\s\sdb_ephemeral_blob(&q,\s0,\s&pw);\r\n+\s\s\s\sif(\sstrcmp(zLogin,"anonymous")!=0\s){\r\n+\s\s\s\s\s\sdb_ephemeral_blob(&q,\s0,\s&pw);\r\n+\s\s\s\s}\r\n\s\s\s\s\sblob_zero(&combined);\r\n\s\s\s\s\sblob_copy(&combined,\spNonce);\r\n\s\s\s\s\sblob_append(&combined,\sblob_buffer(&pw),\sblob_size(&pw));\r\n</verbatim></blockquote>
J foundin ca08c1d1b3
J private_contact 6b7d8d19b3584e0b0b59ee79d0f778ecd9f60111
J severity Minor
J status Open
J title 'configure\spull'\scommand\srecevie\sempty\sresponse.
J type Incident
K ce33b14f8fa9a41679705502086ca5fdfb5d142f
U anonymous
Z 4554e4a3be797ec09e428c4298c87f97

Fossil version [c0211010a1] 2009-12-13 01:31:36