Fossil SCM

Do not allow more than one login card in the sync protocol.

drh 2025-07-21 19:39 xfer-login-card

Commit 12cc5bbf227e3905de21960093c26bfffdcdfed235110310c23c0bccd11c8e79

Parent 73a2bd06b1ff70c…

1 file changed +12 -1

M src/xfer.c

+12 -1

		--- src/xfer.c
		+++ src/xfer.c
		@@ -1273,10 +1273,11 @@
1273	1273	int nUuidList = 0;
1274	1274	char **pzUuidList = 0;
1275	1275	int *pnUuidList = 0;
1276	1276	int uvCatalogSent = 0;
1277	1277	int bSendLinks = 0;
	1278	+ int nLogin = 0;
1278	1279
1279	1280	if( fossil_strcmp(PD("REQUEST_METHOD","POST"),"POST") ){
1280	1281	fossil_redirect_home();
1281	1282	}
1282	1283	g.zLogin = "anonymous";
		@@ -1562,18 +1563,28 @@
1562	1563
1563	1564	/* login USER NONCE SIGNATURE
1564	1565	**
1565	1566	** The client has sent login credentials to the server.
1566	1567	** Validate the login. This has to happen before anything else.
1567		- ** The client can send multiple logins. Permissions are cumulative.
	1568	+ **
	1569	+ ** For many years, Fossil would accept multiple login cards with
	1570	+ ** cumulative permissions. But that feature was never used. Hence
	1571	+ ** it is now prohibited. Any login card after the first generates
	1572	+ ** a fatal error.
1568	1573	*/
1569	1574	if( blob_eq(&xfer.aToken[0], "login")
1570	1575	&& xfer.nToken==4
1571	1576	){
1572	1577	handle_login_card:
	1578	+ nLogin++;
1573	1579	if( disableLogin ){
1574	1580	g.perm.Read = g.perm.Write = g.perm.Private = g.perm.Admin = 1;
	1581	+ }else if( nLogin > 1 ){
	1582	+ cgi_reset_content();
	1583	+ @ error multiple\slogin\cards
	1584	+ nErr++;
	1585	+ break;
1575	1586	}else{
1576	1587	if( check_tail_hash(&xfer.aToken[2], xfer.pIn)
1577	1588	\|\| check_login(&xfer.aToken[1], &xfer.aToken[2], &xfer.aToken[3])
1578	1589	){
1579	1590	cgi_reset_content();
1580	1591

	--- src/xfer.c
	+++ src/xfer.c
	@@ -1273,10 +1273,11 @@
1273	int nUuidList = 0;
1274	char **pzUuidList = 0;
1275	int *pnUuidList = 0;
1276	int uvCatalogSent = 0;
1277	int bSendLinks = 0;

1278
1279	if( fossil_strcmp(PD("REQUEST_METHOD","POST"),"POST") ){
1280	fossil_redirect_home();
1281	}
1282	g.zLogin = "anonymous";
	@@ -1562,18 +1563,28 @@
1562
1563	/* login USER NONCE SIGNATURE
1564	**
1565	** The client has sent login credentials to the server.
1566	** Validate the login. This has to happen before anything else.
1567	** The client can send multiple logins. Permissions are cumulative.




1568	*/
1569	if( blob_eq(&xfer.aToken[0], "login")
1570	&& xfer.nToken==4
1571	){
1572	handle_login_card:

1573	if( disableLogin ){
1574	g.perm.Read = g.perm.Write = g.perm.Private = g.perm.Admin = 1;





1575	}else{
1576	if( check_tail_hash(&xfer.aToken[2], xfer.pIn)
1577	\|\| check_login(&xfer.aToken[1], &xfer.aToken[2], &xfer.aToken[3])
1578	){
1579	cgi_reset_content();
1580

	--- src/xfer.c
	+++ src/xfer.c
	@@ -1273,10 +1273,11 @@
1273	int nUuidList = 0;
1274	char **pzUuidList = 0;
1275	int *pnUuidList = 0;
1276	int uvCatalogSent = 0;
1277	int bSendLinks = 0;
1278	int nLogin = 0;
1279
1280	if( fossil_strcmp(PD("REQUEST_METHOD","POST"),"POST") ){
1281	fossil_redirect_home();
1282	}
1283	g.zLogin = "anonymous";
	@@ -1562,18 +1563,28 @@
1563
1564	/* login USER NONCE SIGNATURE
1565	**
1566	** The client has sent login credentials to the server.
1567	** Validate the login. This has to happen before anything else.
1568	**
1569	** For many years, Fossil would accept multiple login cards with
1570	** cumulative permissions. But that feature was never used. Hence
1571	** it is now prohibited. Any login card after the first generates
1572	** a fatal error.
1573	*/
1574	if( blob_eq(&xfer.aToken[0], "login")
1575	&& xfer.nToken==4
1576	){
1577	handle_login_card:
1578	nLogin++;
1579	if( disableLogin ){
1580	g.perm.Read = g.perm.Write = g.perm.Private = g.perm.Admin = 1;
1581	}else if( nLogin > 1 ){
1582	cgi_reset_content();
1583	@ error multiple\slogin\cards
1584	nErr++;
1585	break;
1586	}else{
1587	if( check_tail_hash(&xfer.aToken[2], xfer.pIn)
1588	\|\| check_login(&xfer.aToken[1], &xfer.aToken[2], &xfer.aToken[3])
1589	){
1590	cgi_reset_content();
1591