Fossil SCM
Provide the ability to make exceptions to maximum number of query parameters on the robot restrictor.
Commit
87368b3efd0b3a5617b59f089975566896a868d133f69aed5e97919e6aa6c063
Parent
f6ff25e1b75579a…
3 files changed
+13
-1
+12
-1
+1
-1
+13
-1
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -1302,20 +1302,32 @@ | ||
| 1302 | 1302 | */ |
| 1303 | 1303 | void login_restrict_robot_access(void){ |
| 1304 | 1304 | const char *zReferer; |
| 1305 | 1305 | const char *zGlob; |
| 1306 | 1306 | int isMatch = 1; |
| 1307 | + int nQP; /* Number of query parameters other than name= */ | |
| 1307 | 1308 | if( g.zLogin!=0 ) return; |
| 1308 | 1309 | zGlob = db_get("robot-restrict",0); |
| 1309 | 1310 | if( zGlob==0 || zGlob[0]==0 ) return; |
| 1310 | 1311 | if( g.isHuman ){ |
| 1311 | 1312 | zReferer = P("HTTP_REFERER"); |
| 1312 | 1313 | if( zReferer && zReferer[0]!=0 ) return; |
| 1313 | 1314 | } |
| 1314 | - if( cgi_qp_count()<1 ) return; | |
| 1315 | + nQP = cgi_qp_count(); | |
| 1316 | + if( nQP<1 ) return; | |
| 1315 | 1317 | isMatch = glob_multi_match(zGlob, g.zPath); |
| 1316 | 1318 | if( !isMatch ) return; |
| 1319 | + | |
| 1320 | + /* Check for exceptions to the restriction on the number of query | |
| 1321 | + ** parameters. */ | |
| 1322 | + zGlob = db_get("robot-restrict-qp",0); | |
| 1323 | + if( zGlob && zGlob[0] ){ | |
| 1324 | + char *zPath = mprintf("%s/%d", g.zPath, nQP); | |
| 1325 | + isMatch = glob_multi_match(zGlob, zPath); | |
| 1326 | + fossil_free(zPath); | |
| 1327 | + if( isMatch ) return; | |
| 1328 | + } | |
| 1317 | 1329 | |
| 1318 | 1330 | /* If we reach this point, it means we have a situation where we |
| 1319 | 1331 | ** want to restrict the activity of a robot. |
| 1320 | 1332 | */ |
| 1321 | 1333 | g.isHuman = 0; |
| 1322 | 1334 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1302,20 +1302,32 @@ | |
| 1302 | */ |
| 1303 | void login_restrict_robot_access(void){ |
| 1304 | const char *zReferer; |
| 1305 | const char *zGlob; |
| 1306 | int isMatch = 1; |
| 1307 | if( g.zLogin!=0 ) return; |
| 1308 | zGlob = db_get("robot-restrict",0); |
| 1309 | if( zGlob==0 || zGlob[0]==0 ) return; |
| 1310 | if( g.isHuman ){ |
| 1311 | zReferer = P("HTTP_REFERER"); |
| 1312 | if( zReferer && zReferer[0]!=0 ) return; |
| 1313 | } |
| 1314 | if( cgi_qp_count()<1 ) return; |
| 1315 | isMatch = glob_multi_match(zGlob, g.zPath); |
| 1316 | if( !isMatch ) return; |
| 1317 | |
| 1318 | /* If we reach this point, it means we have a situation where we |
| 1319 | ** want to restrict the activity of a robot. |
| 1320 | */ |
| 1321 | g.isHuman = 0; |
| 1322 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1302,20 +1302,32 @@ | |
| 1302 | */ |
| 1303 | void login_restrict_robot_access(void){ |
| 1304 | const char *zReferer; |
| 1305 | const char *zGlob; |
| 1306 | int isMatch = 1; |
| 1307 | int nQP; /* Number of query parameters other than name= */ |
| 1308 | if( g.zLogin!=0 ) return; |
| 1309 | zGlob = db_get("robot-restrict",0); |
| 1310 | if( zGlob==0 || zGlob[0]==0 ) return; |
| 1311 | if( g.isHuman ){ |
| 1312 | zReferer = P("HTTP_REFERER"); |
| 1313 | if( zReferer && zReferer[0]!=0 ) return; |
| 1314 | } |
| 1315 | nQP = cgi_qp_count(); |
| 1316 | if( nQP<1 ) return; |
| 1317 | isMatch = glob_multi_match(zGlob, g.zPath); |
| 1318 | if( !isMatch ) return; |
| 1319 | |
| 1320 | /* Check for exceptions to the restriction on the number of query |
| 1321 | ** parameters. */ |
| 1322 | zGlob = db_get("robot-restrict-qp",0); |
| 1323 | if( zGlob && zGlob[0] ){ |
| 1324 | char *zPath = mprintf("%s/%d", g.zPath, nQP); |
| 1325 | isMatch = glob_multi_match(zGlob, zPath); |
| 1326 | fossil_free(zPath); |
| 1327 | if( isMatch ) return; |
| 1328 | } |
| 1329 | |
| 1330 | /* If we reach this point, it means we have a situation where we |
| 1331 | ** want to restrict the activity of a robot. |
| 1332 | */ |
| 1333 | g.isHuman = 0; |
| 1334 |
+12
-1
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -501,13 +501,24 @@ | ||
| 501 | 501 | @ behavior or to find an SQL injection opportunity or similar. This can |
| 502 | 502 | @ waste hours of CPU time and gigabytes of bandwidth on the server. A |
| 503 | 503 | @ suggested value for this setting is: |
| 504 | 504 | @ "<tt>timeline,*diff,vpatch,annotate,blame,praise,dir,tree</tt>". |
| 505 | 505 | @ (Property: robot-restrict) |
| 506 | - @ <p> | |
| 506 | + @ <br> | |
| 507 | 507 | textarea_attribute("", 2, 80, |
| 508 | 508 | "robot-restrict", "rbrestrict", "", 0); |
| 509 | + @ <br> The following comma-separated GLOB pattern allows for exceptions | |
| 510 | + @ in the maximum number of query parameters before a request is considered | |
| 511 | + @ complex. If this GLOB pattern exists and is non-empty and if it | |
| 512 | + @ matches against the pagename followed by "/" and the number of query | |
| 513 | + @ parameters, then the request is allowed through. For example, the | |
| 514 | + @ suggested pattern of "timeline/[012]" allows the /timeline page to | |
| 515 | + @ pass with up to 2 query parameters besides "name". | |
| 516 | + @ (Property: robot-restrict-qp) | |
| 517 | + @ <br> | |
| 518 | + textarea_attribute("", 2, 80, | |
| 519 | + "robot-restrict-qp", "rbrestrictqp", "", 0); | |
| 509 | 520 | |
| 510 | 521 | @ <hr> |
| 511 | 522 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 512 | 523 | @ </div></form> |
| 513 | 524 | db_end_transaction(0); |
| 514 | 525 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -501,13 +501,24 @@ | |
| 501 | @ behavior or to find an SQL injection opportunity or similar. This can |
| 502 | @ waste hours of CPU time and gigabytes of bandwidth on the server. A |
| 503 | @ suggested value for this setting is: |
| 504 | @ "<tt>timeline,*diff,vpatch,annotate,blame,praise,dir,tree</tt>". |
| 505 | @ (Property: robot-restrict) |
| 506 | @ <p> |
| 507 | textarea_attribute("", 2, 80, |
| 508 | "robot-restrict", "rbrestrict", "", 0); |
| 509 | |
| 510 | @ <hr> |
| 511 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 512 | @ </div></form> |
| 513 | db_end_transaction(0); |
| 514 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -501,13 +501,24 @@ | |
| 501 | @ behavior or to find an SQL injection opportunity or similar. This can |
| 502 | @ waste hours of CPU time and gigabytes of bandwidth on the server. A |
| 503 | @ suggested value for this setting is: |
| 504 | @ "<tt>timeline,*diff,vpatch,annotate,blame,praise,dir,tree</tt>". |
| 505 | @ (Property: robot-restrict) |
| 506 | @ <br> |
| 507 | textarea_attribute("", 2, 80, |
| 508 | "robot-restrict", "rbrestrict", "", 0); |
| 509 | @ <br> The following comma-separated GLOB pattern allows for exceptions |
| 510 | @ in the maximum number of query parameters before a request is considered |
| 511 | @ complex. If this GLOB pattern exists and is non-empty and if it |
| 512 | @ matches against the pagename followed by "/" and the number of query |
| 513 | @ parameters, then the request is allowed through. For example, the |
| 514 | @ suggested pattern of "timeline/[012]" allows the /timeline page to |
| 515 | @ pass with up to 2 query parameters besides "name". |
| 516 | @ (Property: robot-restrict-qp) |
| 517 | @ <br> |
| 518 | textarea_attribute("", 2, 80, |
| 519 | "robot-restrict-qp", "rbrestrictqp", "", 0); |
| 520 | |
| 521 | @ <hr> |
| 522 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 523 | @ </div></form> |
| 524 | db_end_transaction(0); |
| 525 |
+1
-1
| --- src/timeline.c | ||
| +++ src/timeline.c | ||
| @@ -1863,10 +1863,11 @@ | ||
| 1863 | 1863 | char *zPlural; /* Ending for plural forms */ |
| 1864 | 1864 | int showCherrypicks = 1; /* True to show cherrypick merges */ |
| 1865 | 1865 | int haveParameterN; /* True if n= query parameter present */ |
| 1866 | 1866 | int from_to_mode = 0; /* 0: from,to. 1: from,ft 2: from,bt */ |
| 1867 | 1867 | |
| 1868 | + login_check_credentials(); | |
| 1868 | 1869 | url_initialize(&url, "timeline"); |
| 1869 | 1870 | cgi_query_parameters_to_url(&url); |
| 1870 | 1871 | |
| 1871 | 1872 | (void)P_NoBot("ss") |
| 1872 | 1873 | /* "ss" is processed via the udc but at least one spider likes to |
| @@ -1943,11 +1944,10 @@ | ||
| 1943 | 1944 | */ |
| 1944 | 1945 | pd_rid = name_choice("dp","dp2",&zDPName); |
| 1945 | 1946 | if( pd_rid ){ |
| 1946 | 1947 | p_rid = d_rid = pd_rid; |
| 1947 | 1948 | } |
| 1948 | - login_check_credentials(); | |
| 1949 | 1949 | if( (!g.perm.Read && !g.perm.RdTkt && !g.perm.RdWiki && !g.perm.RdForum) |
| 1950 | 1950 | || (bisectLocal && !g.perm.Setup) |
| 1951 | 1951 | ){ |
| 1952 | 1952 | login_needed(g.anon.Read && g.anon.RdTkt && g.anon.RdWiki); |
| 1953 | 1953 | return; |
| 1954 | 1954 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -1863,10 +1863,11 @@ | |
| 1863 | char *zPlural; /* Ending for plural forms */ |
| 1864 | int showCherrypicks = 1; /* True to show cherrypick merges */ |
| 1865 | int haveParameterN; /* True if n= query parameter present */ |
| 1866 | int from_to_mode = 0; /* 0: from,to. 1: from,ft 2: from,bt */ |
| 1867 | |
| 1868 | url_initialize(&url, "timeline"); |
| 1869 | cgi_query_parameters_to_url(&url); |
| 1870 | |
| 1871 | (void)P_NoBot("ss") |
| 1872 | /* "ss" is processed via the udc but at least one spider likes to |
| @@ -1943,11 +1944,10 @@ | |
| 1943 | */ |
| 1944 | pd_rid = name_choice("dp","dp2",&zDPName); |
| 1945 | if( pd_rid ){ |
| 1946 | p_rid = d_rid = pd_rid; |
| 1947 | } |
| 1948 | login_check_credentials(); |
| 1949 | if( (!g.perm.Read && !g.perm.RdTkt && !g.perm.RdWiki && !g.perm.RdForum) |
| 1950 | || (bisectLocal && !g.perm.Setup) |
| 1951 | ){ |
| 1952 | login_needed(g.anon.Read && g.anon.RdTkt && g.anon.RdWiki); |
| 1953 | return; |
| 1954 |
| --- src/timeline.c | |
| +++ src/timeline.c | |
| @@ -1863,10 +1863,11 @@ | |
| 1863 | char *zPlural; /* Ending for plural forms */ |
| 1864 | int showCherrypicks = 1; /* True to show cherrypick merges */ |
| 1865 | int haveParameterN; /* True if n= query parameter present */ |
| 1866 | int from_to_mode = 0; /* 0: from,to. 1: from,ft 2: from,bt */ |
| 1867 | |
| 1868 | login_check_credentials(); |
| 1869 | url_initialize(&url, "timeline"); |
| 1870 | cgi_query_parameters_to_url(&url); |
| 1871 | |
| 1872 | (void)P_NoBot("ss") |
| 1873 | /* "ss" is processed via the udc but at least one spider likes to |
| @@ -1943,11 +1944,10 @@ | |
| 1944 | */ |
| 1945 | pd_rid = name_choice("dp","dp2",&zDPName); |
| 1946 | if( pd_rid ){ |
| 1947 | p_rid = d_rid = pd_rid; |
| 1948 | } |
| 1949 | if( (!g.perm.Read && !g.perm.RdTkt && !g.perm.RdWiki && !g.perm.RdForum) |
| 1950 | || (bisectLocal && !g.perm.Setup) |
| 1951 | ){ |
| 1952 | login_needed(g.anon.Read && g.anon.RdTkt && g.anon.RdWiki); |
| 1953 | return; |
| 1954 |