Fossil

Check-in [8f70ccaa]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Allow remote commands of the form "*/fossil.exe" on the "ssh:" protocol.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 8f70ccaac82d0e30e00158841d1715f14d279687892ba5202cf9f876394a85b8
User & Date: drh 2019-09-25 13:28:54
Context
2019-09-25
13:45
Fix the test-http command so that it omits line-ending conversions. This allows the ssh: clone/sync method to work with a windows server. check-in: 28b15b48 user: drh tags: trunk
13:28
Allow remote commands of the form "*/fossil.exe" on the "ssh:" protocol. check-in: 8f70ccaa user: drh tags: trunk
2019-09-24
23:29
Performance optimizations in the markdown formatter. check-in: ef41fbfa user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/http_transport.c.

78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

/*
** Check zFossil to see if it is a reasonable "fossil" command to
** run on the server.  Do not allow an attacker to substitute something
** like "/bin/rm".
*/
static int is_safe_fossil_command(const char *zFossil){
  static const char *const azSafe[] = { "*/fossil", "*/echo" };
  int i;
  for(i=0; i<sizeof(azSafe)/sizeof(azSafe[0]); i++){
    if( sqlite3_strglob(azSafe[i], zFossil)==0 ) return 1;
    if( strcmp(azSafe[i]+2, zFossil)==0 ) return 1;
  }
  return 0;
}







|







78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

/*
** Check zFossil to see if it is a reasonable "fossil" command to
** run on the server.  Do not allow an attacker to substitute something
** like "/bin/rm".
*/
static int is_safe_fossil_command(const char *zFossil){
  static const char *const azSafe[] = { "*/fossil", "*/fossil.exe", "*/echo" };
  int i;
  for(i=0; i<sizeof(azSafe)/sizeof(azSafe[0]); i++){
    if( sqlite3_strglob(azSafe[i], zFossil)==0 ) return 1;
    if( strcmp(azSafe[i]+2, zFossil)==0 ) return 1;
  }
  return 0;
}