Fossil SCM
As a performance optimization, only do the SQL-injection detection for user "nobody". Improved comment on cgi_value_spider_check() to better explain what this subsystem is all about.
Commit
00ae2391e4c7dea8cc78e38c07becd2c7298d2e5766a351b9c74b4aab4a49322
Parent
d3cb62f76759c6f…
1 file changed
+11
-1
+11
-1
| --- src/cgi.c | ||
| +++ src/cgi.c | ||
| @@ -1532,13 +1532,23 @@ | ||
| 1532 | 1532 | /* |
| 1533 | 1533 | ** If looks_like_sql_injection() returns true for the given string, calls |
| 1534 | 1534 | ** cgi_begin_spider() and does not return, else this function has no |
| 1535 | 1535 | ** side effects. The range of checks performed by this function may |
| 1536 | 1536 | ** be extended in the future. |
| 1537 | +** | |
| 1538 | +** Checks are omitted for any logged-in user. | |
| 1539 | +** | |
| 1540 | +** This is NOT a defense against SQL injection. Fossil should easily be | |
| 1541 | +** proof against SQL injection without this routine. Rather, this is an | |
| 1542 | +** attempt to avoid denial-of-service caused by persistent spiders that hammer | |
| 1543 | +** the server with dozens or hundreds of SQL injection attempts per second | |
| 1544 | +** against pages (such as /vdiff) that are expensive to compute. In other | |
| 1545 | +** words, this is an effort to reduce the CPU load imposed by malicious | |
| 1546 | +** spiders. It is not an effect defense against SQL injection vulnerabilities. | |
| 1537 | 1547 | */ |
| 1538 | 1548 | void cgi_value_spider_check(const char *zTxt){ |
| 1539 | - if( looks_like_sql_injection(zTxt) ){ | |
| 1549 | + if( g.zLogin==0 && looks_like_sql_injection(zTxt) ){ | |
| 1540 | 1550 | cgi_begone_spider(); |
| 1541 | 1551 | } |
| 1542 | 1552 | } |
| 1543 | 1553 | |
| 1544 | 1554 | /* |
| 1545 | 1555 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -1532,13 +1532,23 @@ | |
| 1532 | /* |
| 1533 | ** If looks_like_sql_injection() returns true for the given string, calls |
| 1534 | ** cgi_begin_spider() and does not return, else this function has no |
| 1535 | ** side effects. The range of checks performed by this function may |
| 1536 | ** be extended in the future. |
| 1537 | */ |
| 1538 | void cgi_value_spider_check(const char *zTxt){ |
| 1539 | if( looks_like_sql_injection(zTxt) ){ |
| 1540 | cgi_begone_spider(); |
| 1541 | } |
| 1542 | } |
| 1543 | |
| 1544 | /* |
| 1545 |
| --- src/cgi.c | |
| +++ src/cgi.c | |
| @@ -1532,13 +1532,23 @@ | |
| 1532 | /* |
| 1533 | ** If looks_like_sql_injection() returns true for the given string, calls |
| 1534 | ** cgi_begin_spider() and does not return, else this function has no |
| 1535 | ** side effects. The range of checks performed by this function may |
| 1536 | ** be extended in the future. |
| 1537 | ** |
| 1538 | ** Checks are omitted for any logged-in user. |
| 1539 | ** |
| 1540 | ** This is NOT a defense against SQL injection. Fossil should easily be |
| 1541 | ** proof against SQL injection without this routine. Rather, this is an |
| 1542 | ** attempt to avoid denial-of-service caused by persistent spiders that hammer |
| 1543 | ** the server with dozens or hundreds of SQL injection attempts per second |
| 1544 | ** against pages (such as /vdiff) that are expensive to compute. In other |
| 1545 | ** words, this is an effort to reduce the CPU load imposed by malicious |
| 1546 | ** spiders. It is not an effect defense against SQL injection vulnerabilities. |
| 1547 | */ |
| 1548 | void cgi_value_spider_check(const char *zTxt){ |
| 1549 | if( g.zLogin==0 && looks_like_sql_injection(zTxt) ){ |
| 1550 | cgi_begone_spider(); |
| 1551 | } |
| 1552 | } |
| 1553 | |
| 1554 | /* |
| 1555 |