Fossil SCM
Provide a scary warning about the use of TH1 docs on the Security Audit page.
Commit
5c0bb964cdf0e1a34d41b4b06d1abe1ea795eedc0d41f5dc19b1254ed5ae267d
Parent
45427ae1c9312bd…
1 file changed
+29
+29
| --- src/security_audit.c | ||
| +++ src/security_audit.c | ||
| @@ -218,10 +218,39 @@ | ||
| 218 | 218 | @ <p>Fix this by changing the "Redirect to HTTPS" setting on the |
| 219 | 219 | @ <a href="setup_access">Access Control</a> page. If you were using |
| 220 | 220 | @ the old "Redirect to HTTPS on Login Page" setting, switch to the |
| 221 | 221 | @ new setting: it has a more secure implementation. |
| 222 | 222 | } |
| 223 | + | |
| 224 | +#ifdef FOSSIL_ENABLE_TH1_DOCS | |
| 225 | + /* The use of embedded TH1 is dangerous. Warn if it is possible. | |
| 226 | + */ | |
| 227 | + if( !Th_AreDocsEnabled() ){ | |
| 228 | + @ <li><p> | |
| 229 | + @ This server is compiled with -DFOSSIL_ENABLE_TH1_DOCS. TH1 docs | |
| 230 | + @ are disabled for this particular repository, so you are safe for | |
| 231 | + @ now. However, to prevent future problems caused by accidentally | |
| 232 | + @ enabling TH1 docs in the future, it is recommended that you | |
| 233 | + @ recompile Fossil without the -DFOSSIL_ENABLE_TH1_DOCS flag.</p> | |
| 234 | + }else{ | |
| 235 | + @ <li><p><b>DANGER:</b> | |
| 236 | + @ This server is compiled with -DFOSSIL_ENABLE_TH1_DOCS and TH1 docs | |
| 237 | + @ are enabled for this repository. Anyone who can check-in or push | |
| 238 | + @ to this repository can create a malicious TH1 script and then cause | |
| 239 | + @ that script to be run on the server. This is a serious security concern. | |
| 240 | + @ TH1 docs should only be enabled for repositories with a very limited | |
| 241 | + @ number of trusted committers, and the repository should be monitored | |
| 242 | + @ closely to ensure no hostile content sneaks in. If a bad TH1 script | |
| 243 | + @ does make it into the repository, the only want to prevent it from | |
| 244 | + @ being run is to shun it.</p> | |
| 245 | + @ | |
| 246 | + @ <p>Disable TH1 docs by recompiling Fossil without the | |
| 247 | + @ -DFOSSIL_ENABLE_TH1_DOCS flag, and/or clear the th1-docs setting | |
| 248 | + @ and ensure that the TH1_ENABLE_DOCS environment variable does not | |
| 249 | + @ exist in the environment.</p> | |
| 250 | + } | |
| 251 | +#endif | |
| 223 | 252 | |
| 224 | 253 | /* Anonymous users should not be able to harvest email addresses |
| 225 | 254 | ** from tickets. |
| 226 | 255 | */ |
| 227 | 256 | if( hasAnyCap(zAnonCap, "e") ){ |
| 228 | 257 |
| --- src/security_audit.c | |
| +++ src/security_audit.c | |
| @@ -218,10 +218,39 @@ | |
| 218 | @ <p>Fix this by changing the "Redirect to HTTPS" setting on the |
| 219 | @ <a href="setup_access">Access Control</a> page. If you were using |
| 220 | @ the old "Redirect to HTTPS on Login Page" setting, switch to the |
| 221 | @ new setting: it has a more secure implementation. |
| 222 | } |
| 223 | |
| 224 | /* Anonymous users should not be able to harvest email addresses |
| 225 | ** from tickets. |
| 226 | */ |
| 227 | if( hasAnyCap(zAnonCap, "e") ){ |
| 228 |
| --- src/security_audit.c | |
| +++ src/security_audit.c | |
| @@ -218,10 +218,39 @@ | |
| 218 | @ <p>Fix this by changing the "Redirect to HTTPS" setting on the |
| 219 | @ <a href="setup_access">Access Control</a> page. If you were using |
| 220 | @ the old "Redirect to HTTPS on Login Page" setting, switch to the |
| 221 | @ new setting: it has a more secure implementation. |
| 222 | } |
| 223 | |
| 224 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 225 | /* The use of embedded TH1 is dangerous. Warn if it is possible. |
| 226 | */ |
| 227 | if( !Th_AreDocsEnabled() ){ |
| 228 | @ <li><p> |
| 229 | @ This server is compiled with -DFOSSIL_ENABLE_TH1_DOCS. TH1 docs |
| 230 | @ are disabled for this particular repository, so you are safe for |
| 231 | @ now. However, to prevent future problems caused by accidentally |
| 232 | @ enabling TH1 docs in the future, it is recommended that you |
| 233 | @ recompile Fossil without the -DFOSSIL_ENABLE_TH1_DOCS flag.</p> |
| 234 | }else{ |
| 235 | @ <li><p><b>DANGER:</b> |
| 236 | @ This server is compiled with -DFOSSIL_ENABLE_TH1_DOCS and TH1 docs |
| 237 | @ are enabled for this repository. Anyone who can check-in or push |
| 238 | @ to this repository can create a malicious TH1 script and then cause |
| 239 | @ that script to be run on the server. This is a serious security concern. |
| 240 | @ TH1 docs should only be enabled for repositories with a very limited |
| 241 | @ number of trusted committers, and the repository should be monitored |
| 242 | @ closely to ensure no hostile content sneaks in. If a bad TH1 script |
| 243 | @ does make it into the repository, the only want to prevent it from |
| 244 | @ being run is to shun it.</p> |
| 245 | @ |
| 246 | @ <p>Disable TH1 docs by recompiling Fossil without the |
| 247 | @ -DFOSSIL_ENABLE_TH1_DOCS flag, and/or clear the th1-docs setting |
| 248 | @ and ensure that the TH1_ENABLE_DOCS environment variable does not |
| 249 | @ exist in the environment.</p> |
| 250 | } |
| 251 | #endif |
| 252 | |
| 253 | /* Anonymous users should not be able to harvest email addresses |
| 254 | ** from tickets. |
| 255 | */ |
| 256 | if( hasAnyCap(zAnonCap, "e") ){ |
| 257 |