Fossil SCM
Updated the Security-Audit page to better handle the change from the old https-login setting to the new redirect-to-https setting.
Commit
37918a1fa43949c30459ca5ad559ac14509bd75bca7cb9c6a58c7241b8fca90c
Parent
246f249e5ac07ee…
1 file changed
+9
-6
+9
-6
| --- src/security_audit.c | ||
| +++ src/security_audit.c | ||
| @@ -141,18 +141,21 @@ | ||
| 141 | 141 | @ <p>Change GLOB patterns exceptions using the "Public pages" setting |
| 142 | 142 | @ on the <a href="setup_access">Access Settings</a> page.</p> |
| 143 | 143 | } |
| 144 | 144 | } |
| 145 | 145 | |
| 146 | - /* Make sure the HTTPS is required for login, so that the password | |
| 147 | - ** does not go across the internet in the clear. | |
| 146 | + /* Make sure the HTTPS is required for login, at least, so that the | |
| 147 | + ** password does not go across the Internet in the clear. | |
| 148 | 148 | */ |
| 149 | - if( db_get_boolean("redirect-to-https",0)==0 ){ | |
| 149 | + if( db_get_int("redirect-to-https",0)==0 ){ | |
| 150 | 150 | @ <li><p><b>WARNING:</b> |
| 151 | - @ Login passwords can be sent over an unencrypted connection. | |
| 152 | - @ <p>Fix this by activating the "Redirect to HTTPS on the Login page" | |
| 153 | - @ setting on the <a href="setup_access">Access Control</a> page. | |
| 151 | + @ Sensitive material such as login passwords can be sent over an | |
| 152 | + @ unencrypted connection. | |
| 153 | + @ <p>Fix this by changing the "Redirect to HTTPS" setting on the | |
| 154 | + @ <a href="setup_access">Access Control</a> page. If you were using | |
| 155 | + @ the old "Redirect to HTTPS on Login Page" setting, switch to the | |
| 156 | + @ new setting: it has a more secure implementation. | |
| 154 | 157 | } |
| 155 | 158 | |
| 156 | 159 | /* Anonymous users should not be able to harvest email addresses |
| 157 | 160 | ** from tickets. |
| 158 | 161 | */ |
| 159 | 162 |
| --- src/security_audit.c | |
| +++ src/security_audit.c | |
| @@ -141,18 +141,21 @@ | |
| 141 | @ <p>Change GLOB patterns exceptions using the "Public pages" setting |
| 142 | @ on the <a href="setup_access">Access Settings</a> page.</p> |
| 143 | } |
| 144 | } |
| 145 | |
| 146 | /* Make sure the HTTPS is required for login, so that the password |
| 147 | ** does not go across the internet in the clear. |
| 148 | */ |
| 149 | if( db_get_boolean("redirect-to-https",0)==0 ){ |
| 150 | @ <li><p><b>WARNING:</b> |
| 151 | @ Login passwords can be sent over an unencrypted connection. |
| 152 | @ <p>Fix this by activating the "Redirect to HTTPS on the Login page" |
| 153 | @ setting on the <a href="setup_access">Access Control</a> page. |
| 154 | } |
| 155 | |
| 156 | /* Anonymous users should not be able to harvest email addresses |
| 157 | ** from tickets. |
| 158 | */ |
| 159 |
| --- src/security_audit.c | |
| +++ src/security_audit.c | |
| @@ -141,18 +141,21 @@ | |
| 141 | @ <p>Change GLOB patterns exceptions using the "Public pages" setting |
| 142 | @ on the <a href="setup_access">Access Settings</a> page.</p> |
| 143 | } |
| 144 | } |
| 145 | |
| 146 | /* Make sure the HTTPS is required for login, at least, so that the |
| 147 | ** password does not go across the Internet in the clear. |
| 148 | */ |
| 149 | if( db_get_int("redirect-to-https",0)==0 ){ |
| 150 | @ <li><p><b>WARNING:</b> |
| 151 | @ Sensitive material such as login passwords can be sent over an |
| 152 | @ unencrypted connection. |
| 153 | @ <p>Fix this by changing the "Redirect to HTTPS" setting on the |
| 154 | @ <a href="setup_access">Access Control</a> page. If you were using |
| 155 | @ the old "Redirect to HTTPS on Login Page" setting, switch to the |
| 156 | @ new setting: it has a more secure implementation. |
| 157 | } |
| 158 | |
| 159 | /* Anonymous users should not be able to harvest email addresses |
| 160 | ** from tickets. |
| 161 | */ |
| 162 |