Fossil

Changes On Branch ignore-reserved-filenames
Login

Changes On Branch ignore-reserved-filenames

Hide Diff Patch Unified Diff

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Changes In Branch ignore-reserved-filenames Excluding Merge-Ins

This is equivalent to a diff from 888da94e0a to 8f24c07917

2020-08-19
16:13
Silently ignore reserved filenames that occur inside of manifests, rather than throwing an error. No need for a setting to allow reserved filenames in manifests. ... (check-in: 2e19c5fe2d user: drh tags: sec2020)
01:07
Cherrypick key fixes from the sec2020 branch in order to devise a minimal patch to get us to version 2.12.1. ... (check-in: fe1264d35d user: drh tags: sec2020-2.12-patch)
00:15
Do not allow the "fossil add" command to add files beneath a symlink. ... (check-in: a6abfb911b user: drh tags: sec2020)
2020-08-18
23:39
An alternative method for dealing with historical files named "_FOSSIL_" in the tree: Simply pretend they are not there. ... (Closed-Leaf check-in: 8f24c07917 user: drh tags: ignore-reserved-filenames)
20:58
Silently refuse to "fossil add" files that use reserved names. ... (check-in: 888da94e0a user: drh tags: sec2020)
20:19
Improved error message and response when trying to manifest a check-out that contains a file beneath a symbolic link directory. ... (check-in: 20d90dd482 user: drh tags: sec2020)

Changes to src/main.c. 

218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

#endif
  int useLocalauth;       /* No login required if from 127.0.0.1 */
  int noPswd;             /* Logged in without password (on 127.0.0.1) */
  int userUid;            /* Integer user id */
  int isHuman;            /* True if access by a human, not a spider or bot */
  int comFmtFlags;        /* Zero or more "COMMENT_PRINT_*" bit flags, should be
                          ** accessed through get_comment_format(). */
  int manifestStrict;     /* Whether or not to do strict enforcement of 
                          ** manifest syntax.  0 = unknown. 1 = no  2 = yes */

  /* Information used to populate the RCVFROM table */
  int rcvid;              /* The rcvid.  0 if not yet defined. */
  char *zIpAddr;          /* The remote IP address */
  char *zNonce;           /* The nonce used for login */

  /* permissions available to current user */








<
<








218
219
220
221
222
223
224


225
226
227
228
229
230
231

#endif
  int useLocalauth;       /* No login required if from 127.0.0.1 */
  int noPswd;             /* Logged in without password (on 127.0.0.1) */
  int userUid;            /* Integer user id */
  int isHuman;            /* True if access by a human, not a spider or bot */
  int comFmtFlags;        /* Zero or more "COMMENT_PRINT_*" bit flags, should be
                          ** accessed through get_comment_format(). */



  /* Information used to populate the RCVFROM table */
  int rcvid;              /* The rcvid.  0 if not yet defined. */
  char *zIpAddr;          /* The remote IP address */
  char *zNonce;           /* The nonce used for login */

  /* permissions available to current user */

Changes to src/manifest.c. 

396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448

** Frees all memory owned by the manifest "has-seen" cache.  Intended
** to be called only from the app's atexit() handler.
*/
void manifest_clear_cache(){
  bag_clear(&seenManifests);
}


/*
** SETTING: strict-manifest-syntax  boolean default=on sensitive
** LEAVE THIS SETTING TURNED ON!
**
** This flag indicates that manifest syntax should be strictly enforced.
** It defaults to on.  Clearing this flag is a security risk.
**
** Some questionable constructs were allowed in manifests in historical
** versions of Fossil.  In particular, it was formerly allowed to
** include names like "_FOSSIL_" or ".fslckout" in subdirectories.  But
** doing so can lead to problems, and so newer versions of Fossil disallow
** that.
**
** This flag allows the older questionable constructs to appear in
** manifests for backwards compatibility for the very rare repositories
** that make use of the questionable behavior.
*/

/*
** Return true if manifest parsing rules are strictly enforced.  Return
** zero is certain questionable constructs should be allowed for legacy
** compatibility.
**
** At the current time, the only questionable construct that this applies
** to is the use of filenames like "_FOSSIL_" or ".fslckout" in subdirectories
** of the repository.  These names have never been allowed in the top-level
** directory, but historical versions of fossil allowed them in subdirectories.
**
** This routine is only called if a questionable construct is encountered,
** which is to say it is rarely called.
*/
int manifest_strict_enforcement(void){
  if( g.manifestStrict==0 ){
    g.manifestStrict = db_get_boolean("strict-manifest-syntax",1) + 1;
  }
  return g.manifestStrict - 1;
}

/*
** Parse a blob into a Manifest object.  The Manifest object
** takes over the input blob and will free it when the
** Manifest object is freed.  Zeros are inserted into the blob
** as string terminators so that blob should not be used again.
**
** Return a pointer to an allocated Manifest object if the content








<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<








396
397
398
399
400
401
402







































403
404
405
406
407
408
409

** Frees all memory owned by the manifest "has-seen" cache.  Intended
** to be called only from the app's atexit() handler.
*/
void manifest_clear_cache(){
  bag_clear(&seenManifests);
}








































/*
** Parse a blob into a Manifest object.  The Manifest object
** takes over the input blob and will free it when the
** Manifest object is freed.  Zeros are inserted into the blob
** as string terminators so that blob should not be used again.
**
** Return a pointer to an allocated Manifest object if the content

669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685

      case 'F': {
        char *zName, *zPerm, *zPriorName;
        zName = next_token(&x,0);
        if( zName==0 ) SYNTAX("missing filename on F-card");
        defossilize(zName);
        if( !file_is_simple_pathname_nonstrict(zName) ){
          SYNTAX("F-card filename is not a simple path");
        }else if( file_is_reserved_name(zName,-1) 
               && manifest_strict_enforcement() ){
          SYNTAX("F-card contains a reserved name");
        }
        zUuid = next_token(&x, &sz);
        if( p->zBaseline==0 || zUuid!=0 ){
          if( zUuid==0 ) SYNTAX("missing hash on F-card");
          if( !hname_validate(zUuid,sz) ){
            SYNTAX("F-card hash invalid");
          }








<
<
<








630
631
632
633
634
635
636



637
638
639
640
641
642
643

      case 'F': {
        char *zName, *zPerm, *zPriorName;
        zName = next_token(&x,0);
        if( zName==0 ) SYNTAX("missing filename on F-card");
        defossilize(zName);
        if( !file_is_simple_pathname_nonstrict(zName) ){
          SYNTAX("F-card filename is not a simple path");



        }
        zUuid = next_token(&x, &sz);
        if( p->zBaseline==0 || zUuid!=0 ){
          if( zUuid==0 ) SYNTAX("missing hash on F-card");
          if( !hname_validate(zUuid,sz) ){
            SYNTAX("F-card hash invalid");
          }

694
695
696
697
698
699
700










701
702
703
704
705
706
707
708
709
710
711
712
713
714

        }
        if( p->nFile>=p->nFileAlloc ){
          p->nFileAlloc = p->nFileAlloc*2 + 10;
          p->aFile = fossil_realloc(p->aFile,
                                    p->nFileAlloc*sizeof(p->aFile[0]) );
        }
        i = p->nFile++;










        p->aFile[i].zName = zName;
        p->aFile[i].zUuid = zUuid;
        p->aFile[i].zPerm = zPerm;
        p->aFile[i].zPrior = zPriorName;
        if( i>0 && fossil_strcmp(p->aFile[i-1].zName, zName)>=0 ){
          SYNTAX("incorrect F-card sort order");
        }
        p->type = CFTYPE_MANIFEST;
        break;
      }

      /*
      **    G <hash>
      **








>
>
>
>
>
>
>
>
>
>




<
<
<








652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672



673
674
675
676
677
678
679

        }
        if( p->nFile>=p->nFileAlloc ){
          p->nFileAlloc = p->nFileAlloc*2 + 10;
          p->aFile = fossil_realloc(p->aFile,
                                    p->nFileAlloc*sizeof(p->aFile[0]) );
        }
        i = p->nFile++;
        if( i>0 && fossil_strcmp(p->aFile[i-1].zName, zName)>=0 ){
          SYNTAX("incorrect F-card sort order");
        }
        if( file_is_reserved_name(zName,-1) ){
          /* If reserved names leaked into historical manifests due to
          ** slack oversight by older versions of Fossil, simply ignore
          ** those files */
          p->nFile--;
          break;
        }
        p->aFile[i].zName = zName;
        p->aFile[i].zUuid = zUuid;
        p->aFile[i].zPerm = zPerm;
        p->aFile[i].zPrior = zPriorName;



        p->type = CFTYPE_MANIFEST;
        break;
      }

      /*
      **    G <hash>
      **