Fossil SCM

Improved handling of spaces in usernames and passwords.

drh 2009-09-21 16:14 trunk

Commit 7100babda6b44844c5da6bcfaa9e6ef4cd3a90dd

Parent 109114baf4826a9…

2 files changed +2 +4 -2

M src/url.c

		--- src/url.c
		+++ src/url.c
		@@ -65,12 +65,14 @@
65	65	}
66	66	for(i=iStart; (c=zUrl[i])!=0 && c!='/' && c!='@'; i++){}
67	67	if( c=='@' ){
68	68	for(j=iStart; j<i && zUrl[j]!=':'; j++){}
69	69	g.urlUser = mprintf("%.*s", j-iStart, &zUrl[iStart]);
	70	+ dehttpize(g.urlUser);
70	71	if( j<i ){
71	72	g.urlPasswd = mprintf("%.*s", i-j-1, &zUrl[j+1]);
	73	+ dehttpize(g.urlPasswd);
72	74	}
73	75	for(j=i+1; (c=zUrl[j])!=0 && c!='/' && c!=':'; j++){}
74	76	g.urlName = mprintf("%.*s", j-i-1, &zUrl[i+1]);
75	77	i = j;
76	78	}else{
77	79

	--- src/url.c
	+++ src/url.c
	@@ -65,12 +65,14 @@
65	}
66	for(i=iStart; (c=zUrl[i])!=0 && c!='/' && c!='@'; i++){}
67	if( c=='@' ){
68	for(j=iStart; j<i && zUrl[j]!=':'; j++){}
69	g.urlUser = mprintf("%.*s", j-iStart, &zUrl[iStart]);

70	if( j<i ){
71	g.urlPasswd = mprintf("%.*s", i-j-1, &zUrl[j+1]);

72	}
73	for(j=i+1; (c=zUrl[j])!=0 && c!='/' && c!=':'; j++){}
74	g.urlName = mprintf("%.*s", j-i-1, &zUrl[i+1]);
75	i = j;
76	}else{
77

	--- src/url.c
	+++ src/url.c
	@@ -65,12 +65,14 @@
65	}
66	for(i=iStart; (c=zUrl[i])!=0 && c!='/' && c!='@'; i++){}
67	if( c=='@' ){
68	for(j=iStart; j<i && zUrl[j]!=':'; j++){}
69	g.urlUser = mprintf("%.*s", j-iStart, &zUrl[iStart]);
70	dehttpize(g.urlUser);
71	if( j<i ){
72	g.urlPasswd = mprintf("%.*s", i-j-1, &zUrl[j+1]);
73	dehttpize(g.urlPasswd);
74	}
75	for(j=i+1; (c=zUrl[j])!=0 && c!='/' && c!=':'; j++){}
76	g.urlName = mprintf("%.*s", j-i-1, &zUrl[i+1]);
77	i = j;
78	}else{
79

M src/xfer.c

+4 -2

		--- src/xfer.c
		+++ src/xfer.c
		@@ -383,17 +383,19 @@
383	383	** http_exchange() routine.
384	384	*/
385	385	void check_login(Blob pLogin, Blob pNonce, Blob *pSig){
386	386	Stmt q;
387	387	int rc = -1;
	388	+ char *zLogin = blob_terminate(pLogin);
	389	+ defossilize(zLogin);
388	390
389	391	db_prepare(&q,
390	392	"SELECT pw, cap, uid FROM user"
391		- " WHERE login=%B"
	393	+ " WHERE login=%Q"
392	394	" AND login NOT IN ('anonymous','nobody','developer','reader')"
393	395	" AND length(pw)>0",
394		- pLogin
	396	+ zLogin
395	397	);
396	398	if( db_step(&q)==SQLITE_ROW ){
397	399	Blob pw, combined, hash;
398	400	blob_zero(&pw);
399	401	db_ephemeral_blob(&q, 0, &pw);
400	402

	--- src/xfer.c
	+++ src/xfer.c
	@@ -383,17 +383,19 @@
383	** http_exchange() routine.
384	*/
385	void check_login(Blob pLogin, Blob pNonce, Blob *pSig){
386	Stmt q;
387	int rc = -1;


388
389	db_prepare(&q,
390	"SELECT pw, cap, uid FROM user"
391	" WHERE login=%B"
392	" AND login NOT IN ('anonymous','nobody','developer','reader')"
393	" AND length(pw)>0",
394	pLogin
395	);
396	if( db_step(&q)==SQLITE_ROW ){
397	Blob pw, combined, hash;
398	blob_zero(&pw);
399	db_ephemeral_blob(&q, 0, &pw);
400

	--- src/xfer.c
	+++ src/xfer.c
	@@ -383,17 +383,19 @@
383	** http_exchange() routine.
384	*/
385	void check_login(Blob pLogin, Blob pNonce, Blob *pSig){
386	Stmt q;
387	int rc = -1;
388	char *zLogin = blob_terminate(pLogin);
389	defossilize(zLogin);
390
391	db_prepare(&q,
392	"SELECT pw, cap, uid FROM user"
393	" WHERE login=%Q"
394	" AND login NOT IN ('anonymous','nobody','developer','reader')"
395	" AND length(pw)>0",
396	zLogin
397	);
398	if( db_step(&q)==SQLITE_ROW ){
399	Blob pw, combined, hash;
400	blob_zero(&pw);
401	db_ephemeral_blob(&q, 0, &pw);
402