Fossil SCM
Silently ignore reserved filenames that occur inside of manifests, rather than throwing an error. No need for a setting to allow reserved filenames in manifests.
Commit
2e19c5fe2d07fe60d087be96b757e52794f85a81422b9c61f8582fd39e3bbab8
Parent
0cec61e451c6c81…
2 files changed
-2
+10
-45
-2
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -220,12 +220,10 @@ | ||
| 220 | 220 | int noPswd; /* Logged in without password (on 127.0.0.1) */ |
| 221 | 221 | int userUid; /* Integer user id */ |
| 222 | 222 | int isHuman; /* True if access by a human, not a spider or bot */ |
| 223 | 223 | int comFmtFlags; /* Zero or more "COMMENT_PRINT_*" bit flags, should be |
| 224 | 224 | ** accessed through get_comment_format(). */ |
| 225 | - int manifestStrict; /* Whether or not to do strict enforcement of | |
| 226 | - ** manifest syntax. 0 = unknown. 1 = no 2 = yes */ | |
| 227 | 225 | |
| 228 | 226 | /* Information used to populate the RCVFROM table */ |
| 229 | 227 | int rcvid; /* The rcvid. 0 if not yet defined. */ |
| 230 | 228 | char *zIpAddr; /* The remote IP address */ |
| 231 | 229 | char *zNonce; /* The nonce used for login */ |
| 232 | 230 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -220,12 +220,10 @@ | |
| 220 | int noPswd; /* Logged in without password (on 127.0.0.1) */ |
| 221 | int userUid; /* Integer user id */ |
| 222 | int isHuman; /* True if access by a human, not a spider or bot */ |
| 223 | int comFmtFlags; /* Zero or more "COMMENT_PRINT_*" bit flags, should be |
| 224 | ** accessed through get_comment_format(). */ |
| 225 | int manifestStrict; /* Whether or not to do strict enforcement of |
| 226 | ** manifest syntax. 0 = unknown. 1 = no 2 = yes */ |
| 227 | |
| 228 | /* Information used to populate the RCVFROM table */ |
| 229 | int rcvid; /* The rcvid. 0 if not yet defined. */ |
| 230 | char *zIpAddr; /* The remote IP address */ |
| 231 | char *zNonce; /* The nonce used for login */ |
| 232 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -220,12 +220,10 @@ | |
| 220 | int noPswd; /* Logged in without password (on 127.0.0.1) */ |
| 221 | int userUid; /* Integer user id */ |
| 222 | int isHuman; /* True if access by a human, not a spider or bot */ |
| 223 | int comFmtFlags; /* Zero or more "COMMENT_PRINT_*" bit flags, should be |
| 224 | ** accessed through get_comment_format(). */ |
| 225 | |
| 226 | /* Information used to populate the RCVFROM table */ |
| 227 | int rcvid; /* The rcvid. 0 if not yet defined. */ |
| 228 | char *zIpAddr; /* The remote IP address */ |
| 229 | char *zNonce; /* The nonce used for login */ |
| 230 |
+10
-45
| --- src/manifest.c | ||
| +++ src/manifest.c | ||
| @@ -398,49 +398,10 @@ | ||
| 398 | 398 | */ |
| 399 | 399 | void manifest_clear_cache(){ |
| 400 | 400 | bag_clear(&seenManifests); |
| 401 | 401 | } |
| 402 | 402 | |
| 403 | - | |
| 404 | -/* | |
| 405 | -** SETTING: strict-manifest-syntax boolean default=on sensitive | |
| 406 | -** LEAVE THIS SETTING TURNED ON! | |
| 407 | -** | |
| 408 | -** This flag indicates that manifest syntax should be strictly enforced. | |
| 409 | -** It defaults to on. Clearing this flag is a security risk. | |
| 410 | -** | |
| 411 | -** Some questionable constructs were allowed in manifests in historical | |
| 412 | -** versions of Fossil. In particular, it was formerly allowed to | |
| 413 | -** include names like "_FOSSIL_" or ".fslckout" in subdirectories. But | |
| 414 | -** doing so can lead to problems, and so newer versions of Fossil disallow | |
| 415 | -** that. | |
| 416 | -** | |
| 417 | -** This flag allows the older questionable constructs to appear in | |
| 418 | -** manifests for backwards compatibility for the very rare repositories | |
| 419 | -** that make use of the questionable behavior. | |
| 420 | -*/ | |
| 421 | - | |
| 422 | -/* | |
| 423 | -** Return true if manifest parsing rules are strictly enforced. Return | |
| 424 | -** zero is certain questionable constructs should be allowed for legacy | |
| 425 | -** compatibility. | |
| 426 | -** | |
| 427 | -** At the current time, the only questionable construct that this applies | |
| 428 | -** to is the use of filenames like "_FOSSIL_" or ".fslckout" in subdirectories | |
| 429 | -** of the repository. These names have never been allowed in the top-level | |
| 430 | -** directory, but historical versions of fossil allowed them in subdirectories. | |
| 431 | -** | |
| 432 | -** This routine is only called if a questionable construct is encountered, | |
| 433 | -** which is to say it is rarely called. | |
| 434 | -*/ | |
| 435 | -int manifest_strict_enforcement(void){ | |
| 436 | - if( g.manifestStrict==0 ){ | |
| 437 | - g.manifestStrict = db_get_boolean("strict-manifest-syntax",1) + 1; | |
| 438 | - } | |
| 439 | - return g.manifestStrict - 1; | |
| 440 | -} | |
| 441 | - | |
| 442 | 403 | /* |
| 443 | 404 | ** Parse a blob into a Manifest object. The Manifest object |
| 444 | 405 | ** takes over the input blob and will free it when the |
| 445 | 406 | ** Manifest object is freed. Zeros are inserted into the blob |
| 446 | 407 | ** as string terminators so that blob should not be used again. |
| @@ -671,13 +632,10 @@ | ||
| 671 | 632 | zName = next_token(&x,0); |
| 672 | 633 | if( zName==0 ) SYNTAX("missing filename on F-card"); |
| 673 | 634 | defossilize(zName); |
| 674 | 635 | if( !file_is_simple_pathname_nonstrict(zName) ){ |
| 675 | 636 | SYNTAX("F-card filename is not a simple path"); |
| 676 | - }else if( file_is_reserved_name(zName,-1) | |
| 677 | - && manifest_strict_enforcement() ){ | |
| 678 | - SYNTAX("F-card contains a reserved name"); | |
| 679 | 637 | } |
| 680 | 638 | zUuid = next_token(&x, &sz); |
| 681 | 639 | if( p->zBaseline==0 || zUuid!=0 ){ |
| 682 | 640 | if( zUuid==0 ) SYNTAX("missing hash on F-card"); |
| 683 | 641 | if( !hname_validate(zUuid,sz) ){ |
| @@ -696,17 +654,24 @@ | ||
| 696 | 654 | p->nFileAlloc = p->nFileAlloc*2 + 10; |
| 697 | 655 | p->aFile = fossil_realloc(p->aFile, |
| 698 | 656 | p->nFileAlloc*sizeof(p->aFile[0]) ); |
| 699 | 657 | } |
| 700 | 658 | i = p->nFile++; |
| 659 | + if( i>0 && fossil_strcmp(p->aFile[i-1].zName, zName)>=0 ){ | |
| 660 | + SYNTAX("incorrect F-card sort order"); | |
| 661 | + } | |
| 662 | + if( file_is_reserved_name(zName,-1) ){ | |
| 663 | + /* If reserved names leaked into historical manifests due to | |
| 664 | + ** slack oversight by older versions of Fossil, simply ignore | |
| 665 | + ** those files */ | |
| 666 | + p->nFile--; | |
| 667 | + break; | |
| 668 | + } | |
| 701 | 669 | p->aFile[i].zName = zName; |
| 702 | 670 | p->aFile[i].zUuid = zUuid; |
| 703 | 671 | p->aFile[i].zPerm = zPerm; |
| 704 | 672 | p->aFile[i].zPrior = zPriorName; |
| 705 | - if( i>0 && fossil_strcmp(p->aFile[i-1].zName, zName)>=0 ){ | |
| 706 | - SYNTAX("incorrect F-card sort order"); | |
| 707 | - } | |
| 708 | 673 | p->type = CFTYPE_MANIFEST; |
| 709 | 674 | break; |
| 710 | 675 | } |
| 711 | 676 | |
| 712 | 677 | /* |
| 713 | 678 |
| --- src/manifest.c | |
| +++ src/manifest.c | |
| @@ -398,49 +398,10 @@ | |
| 398 | */ |
| 399 | void manifest_clear_cache(){ |
| 400 | bag_clear(&seenManifests); |
| 401 | } |
| 402 | |
| 403 | |
| 404 | /* |
| 405 | ** SETTING: strict-manifest-syntax boolean default=on sensitive |
| 406 | ** LEAVE THIS SETTING TURNED ON! |
| 407 | ** |
| 408 | ** This flag indicates that manifest syntax should be strictly enforced. |
| 409 | ** It defaults to on. Clearing this flag is a security risk. |
| 410 | ** |
| 411 | ** Some questionable constructs were allowed in manifests in historical |
| 412 | ** versions of Fossil. In particular, it was formerly allowed to |
| 413 | ** include names like "_FOSSIL_" or ".fslckout" in subdirectories. But |
| 414 | ** doing so can lead to problems, and so newer versions of Fossil disallow |
| 415 | ** that. |
| 416 | ** |
| 417 | ** This flag allows the older questionable constructs to appear in |
| 418 | ** manifests for backwards compatibility for the very rare repositories |
| 419 | ** that make use of the questionable behavior. |
| 420 | */ |
| 421 | |
| 422 | /* |
| 423 | ** Return true if manifest parsing rules are strictly enforced. Return |
| 424 | ** zero is certain questionable constructs should be allowed for legacy |
| 425 | ** compatibility. |
| 426 | ** |
| 427 | ** At the current time, the only questionable construct that this applies |
| 428 | ** to is the use of filenames like "_FOSSIL_" or ".fslckout" in subdirectories |
| 429 | ** of the repository. These names have never been allowed in the top-level |
| 430 | ** directory, but historical versions of fossil allowed them in subdirectories. |
| 431 | ** |
| 432 | ** This routine is only called if a questionable construct is encountered, |
| 433 | ** which is to say it is rarely called. |
| 434 | */ |
| 435 | int manifest_strict_enforcement(void){ |
| 436 | if( g.manifestStrict==0 ){ |
| 437 | g.manifestStrict = db_get_boolean("strict-manifest-syntax",1) + 1; |
| 438 | } |
| 439 | return g.manifestStrict - 1; |
| 440 | } |
| 441 | |
| 442 | /* |
| 443 | ** Parse a blob into a Manifest object. The Manifest object |
| 444 | ** takes over the input blob and will free it when the |
| 445 | ** Manifest object is freed. Zeros are inserted into the blob |
| 446 | ** as string terminators so that blob should not be used again. |
| @@ -671,13 +632,10 @@ | |
| 671 | zName = next_token(&x,0); |
| 672 | if( zName==0 ) SYNTAX("missing filename on F-card"); |
| 673 | defossilize(zName); |
| 674 | if( !file_is_simple_pathname_nonstrict(zName) ){ |
| 675 | SYNTAX("F-card filename is not a simple path"); |
| 676 | }else if( file_is_reserved_name(zName,-1) |
| 677 | && manifest_strict_enforcement() ){ |
| 678 | SYNTAX("F-card contains a reserved name"); |
| 679 | } |
| 680 | zUuid = next_token(&x, &sz); |
| 681 | if( p->zBaseline==0 || zUuid!=0 ){ |
| 682 | if( zUuid==0 ) SYNTAX("missing hash on F-card"); |
| 683 | if( !hname_validate(zUuid,sz) ){ |
| @@ -696,17 +654,24 @@ | |
| 696 | p->nFileAlloc = p->nFileAlloc*2 + 10; |
| 697 | p->aFile = fossil_realloc(p->aFile, |
| 698 | p->nFileAlloc*sizeof(p->aFile[0]) ); |
| 699 | } |
| 700 | i = p->nFile++; |
| 701 | p->aFile[i].zName = zName; |
| 702 | p->aFile[i].zUuid = zUuid; |
| 703 | p->aFile[i].zPerm = zPerm; |
| 704 | p->aFile[i].zPrior = zPriorName; |
| 705 | if( i>0 && fossil_strcmp(p->aFile[i-1].zName, zName)>=0 ){ |
| 706 | SYNTAX("incorrect F-card sort order"); |
| 707 | } |
| 708 | p->type = CFTYPE_MANIFEST; |
| 709 | break; |
| 710 | } |
| 711 | |
| 712 | /* |
| 713 |
| --- src/manifest.c | |
| +++ src/manifest.c | |
| @@ -398,49 +398,10 @@ | |
| 398 | */ |
| 399 | void manifest_clear_cache(){ |
| 400 | bag_clear(&seenManifests); |
| 401 | } |
| 402 | |
| 403 | /* |
| 404 | ** Parse a blob into a Manifest object. The Manifest object |
| 405 | ** takes over the input blob and will free it when the |
| 406 | ** Manifest object is freed. Zeros are inserted into the blob |
| 407 | ** as string terminators so that blob should not be used again. |
| @@ -671,13 +632,10 @@ | |
| 632 | zName = next_token(&x,0); |
| 633 | if( zName==0 ) SYNTAX("missing filename on F-card"); |
| 634 | defossilize(zName); |
| 635 | if( !file_is_simple_pathname_nonstrict(zName) ){ |
| 636 | SYNTAX("F-card filename is not a simple path"); |
| 637 | } |
| 638 | zUuid = next_token(&x, &sz); |
| 639 | if( p->zBaseline==0 || zUuid!=0 ){ |
| 640 | if( zUuid==0 ) SYNTAX("missing hash on F-card"); |
| 641 | if( !hname_validate(zUuid,sz) ){ |
| @@ -696,17 +654,24 @@ | |
| 654 | p->nFileAlloc = p->nFileAlloc*2 + 10; |
| 655 | p->aFile = fossil_realloc(p->aFile, |
| 656 | p->nFileAlloc*sizeof(p->aFile[0]) ); |
| 657 | } |
| 658 | i = p->nFile++; |
| 659 | if( i>0 && fossil_strcmp(p->aFile[i-1].zName, zName)>=0 ){ |
| 660 | SYNTAX("incorrect F-card sort order"); |
| 661 | } |
| 662 | if( file_is_reserved_name(zName,-1) ){ |
| 663 | /* If reserved names leaked into historical manifests due to |
| 664 | ** slack oversight by older versions of Fossil, simply ignore |
| 665 | ** those files */ |
| 666 | p->nFile--; |
| 667 | break; |
| 668 | } |
| 669 | p->aFile[i].zName = zName; |
| 670 | p->aFile[i].zUuid = zUuid; |
| 671 | p->aFile[i].zPerm = zPerm; |
| 672 | p->aFile[i].zPrior = zPriorName; |
| 673 | p->type = CFTYPE_MANIFEST; |
| 674 | break; |
| 675 | } |
| 676 | |
| 677 | /* |
| 678 |