Fossil SCM
Do not do the login-bypass if the HTTPS env var is ON. This might indicate that a remote HTTPS connection is being converted to HTTP locally using stunnel (or the equivalent).
Commit
3da8a12f488b343706c868b45f395100074cedd9
Parent
ed28f6e76d46cb8…
1 file changed
+7
-3
+7
-3
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -258,15 +258,19 @@ | ||
| 258 | 258 | /* Only run this check once. */ |
| 259 | 259 | if( g.userUid!=0 ) return; |
| 260 | 260 | |
| 261 | 261 | |
| 262 | 262 | /* If the HTTP connection is coming over 127.0.0.1 and if |
| 263 | - ** local login is disabled, then there is no need to check | |
| 264 | - ** user credentials. | |
| 263 | + ** local login is disabled and if we are using HTTP and not HTTPS, | |
| 264 | + ** then there is no need to check user credentials. | |
| 265 | + ** | |
| 265 | 266 | */ |
| 266 | 267 | zRemoteAddr = PD("REMOTE_ADDR","nil"); |
| 267 | - if( strcmp(zRemoteAddr, "127.0.0.1")==0 && db_get_int("localauth",0)==0 ){ | |
| 268 | + if( strcmp(zRemoteAddr, "127.0.0.1")==0 | |
| 269 | + && db_get_int("localauth",0)==0 | |
| 270 | + && P("HTTPS")==0 | |
| 271 | + ){ | |
| 268 | 272 | uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'"); |
| 269 | 273 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 270 | 274 | zCap = "s"; |
| 271 | 275 | g.noPswd = 1; |
| 272 | 276 | strcpy(g.zCsrfToken, "localhost"); |
| 273 | 277 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -258,15 +258,19 @@ | |
| 258 | /* Only run this check once. */ |
| 259 | if( g.userUid!=0 ) return; |
| 260 | |
| 261 | |
| 262 | /* If the HTTP connection is coming over 127.0.0.1 and if |
| 263 | ** local login is disabled, then there is no need to check |
| 264 | ** user credentials. |
| 265 | */ |
| 266 | zRemoteAddr = PD("REMOTE_ADDR","nil"); |
| 267 | if( strcmp(zRemoteAddr, "127.0.0.1")==0 && db_get_int("localauth",0)==0 ){ |
| 268 | uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'"); |
| 269 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 270 | zCap = "s"; |
| 271 | g.noPswd = 1; |
| 272 | strcpy(g.zCsrfToken, "localhost"); |
| 273 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -258,15 +258,19 @@ | |
| 258 | /* Only run this check once. */ |
| 259 | if( g.userUid!=0 ) return; |
| 260 | |
| 261 | |
| 262 | /* If the HTTP connection is coming over 127.0.0.1 and if |
| 263 | ** local login is disabled and if we are using HTTP and not HTTPS, |
| 264 | ** then there is no need to check user credentials. |
| 265 | ** |
| 266 | */ |
| 267 | zRemoteAddr = PD("REMOTE_ADDR","nil"); |
| 268 | if( strcmp(zRemoteAddr, "127.0.0.1")==0 |
| 269 | && db_get_int("localauth",0)==0 |
| 270 | && P("HTTPS")==0 |
| 271 | ){ |
| 272 | uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'"); |
| 273 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 274 | zCap = "s"; |
| 275 | g.noPswd = 1; |
| 276 | strcpy(g.zCsrfToken, "localhost"); |
| 277 |