Fossil SCM
Only automatically provide Authorization if the URL is HTTPS. User can express preference to use Authorization over unencrypted HTTP via the --httpauth command line option.
Commit
906cfae4442bec55da9a2f5c6931e3c81dff7601
Parent
da070fafe2cced5…
3 files changed
+17
+11
-5
+3
+17
| --- src/clone.c | ||
| +++ src/clone.c | ||
| @@ -109,22 +109,25 @@ | ||
| 109 | 109 | ** --admin-user|-A USERNAME Make USERNAME the administrator |
| 110 | 110 | ** --once Don't save url. |
| 111 | 111 | ** --private Also clone private branches |
| 112 | 112 | ** --ssl-identity=filename Use the SSL identity if requested by the server |
| 113 | 113 | ** --ssh-command|-c 'command' Use this SSH command |
| 114 | +** --httpauth|-B Add HTTP Basic Authorization to requests | |
| 114 | 115 | ** |
| 115 | 116 | ** See also: init |
| 116 | 117 | */ |
| 117 | 118 | void clone_cmd(void){ |
| 118 | 119 | char *zPassword; |
| 119 | 120 | const char *zDefaultUser; /* Optional name of the default user */ |
| 121 | + int fUseHttpAuth; /* Use HTTP auth if requested by user */ | |
| 120 | 122 | int nErr = 0; |
| 121 | 123 | int bPrivate = 0; /* Also clone private branches */ |
| 122 | 124 | int urlFlags = URL_PROMPT_PW | URL_REMEMBER; |
| 123 | 125 | |
| 124 | 126 | if( find_option("private",0,0)!=0 ) bPrivate = SYNC_PRIVATE; |
| 125 | 127 | if( find_option("once",0,0)!=0) urlFlags &= ~URL_REMEMBER; |
| 128 | + fUseHttpAuth = find_option("httpauth","B",0)!=0; | |
| 126 | 129 | zDefaultUser = find_option("admin-user","A",1); |
| 127 | 130 | clone_ssh_find_options(); |
| 128 | 131 | url_proxy_options(); |
| 129 | 132 | if( g.argc < 4 ){ |
| 130 | 133 | usage("?OPTIONS? FILE-OR-URL NEW-REPOSITORY"); |
| @@ -159,10 +162,11 @@ | ||
| 159 | 162 | db_initial_setup(0, 0, zDefaultUser, 0); |
| 160 | 163 | user_select(); |
| 161 | 164 | db_set("content-schema", CONTENT_SCHEMA, 0); |
| 162 | 165 | db_set("aux-schema", AUX_SCHEMA, 0); |
| 163 | 166 | db_set("rebuilt", get_version(), 0); |
| 167 | + remember_http_auth(fUseHttpAuth,g.argv[2]); | |
| 164 | 168 | url_remember(); |
| 165 | 169 | if( g.zSSLIdentity!=0 ){ |
| 166 | 170 | /* If the --ssl-identity option was specified, store it as a setting */ |
| 167 | 171 | Blob fn; |
| 168 | 172 | blob_zero(&fn); |
| @@ -195,10 +199,23 @@ | ||
| 195 | 199 | fossil_print("project-id: %s\n", db_get("project-code", 0)); |
| 196 | 200 | zPassword = db_text(0, "SELECT pw FROM user WHERE login=%Q", g.zLogin); |
| 197 | 201 | fossil_print("admin-user: %s (password is \"%s\")\n", g.zLogin, zPassword); |
| 198 | 202 | db_end_transaction(0); |
| 199 | 203 | } |
| 204 | + | |
| 205 | +/* | |
| 206 | +** If user chooses to use HTTP Authentication over unencrypted HTTP, | |
| 207 | +** remember decision. Otherwise, if the URL is being changed and no preference | |
| 208 | +** has been indicated, err on the safe side and revert the decision. | |
| 209 | +*/ | |
| 210 | +void remember_http_auth(int fUseHttpAuth, const char *zUrl){ | |
| 211 | + if( fUseHttpAuth==1 ){ | |
| 212 | + db_set_int("use-http-auth", 1, 0); | |
| 213 | + }else if( zUrl && zUrl[0] ){ | |
| 214 | + db_unset("use-http-auth", 0); | |
| 215 | + } | |
| 216 | +} | |
| 200 | 217 | |
| 201 | 218 | /* |
| 202 | 219 | ** Look for SSH clone command line options and setup in globals. |
| 203 | 220 | */ |
| 204 | 221 | void clone_ssh_find_options(void){ |
| 205 | 222 |
| --- src/clone.c | |
| +++ src/clone.c | |
| @@ -109,22 +109,25 @@ | |
| 109 | ** --admin-user|-A USERNAME Make USERNAME the administrator |
| 110 | ** --once Don't save url. |
| 111 | ** --private Also clone private branches |
| 112 | ** --ssl-identity=filename Use the SSL identity if requested by the server |
| 113 | ** --ssh-command|-c 'command' Use this SSH command |
| 114 | ** |
| 115 | ** See also: init |
| 116 | */ |
| 117 | void clone_cmd(void){ |
| 118 | char *zPassword; |
| 119 | const char *zDefaultUser; /* Optional name of the default user */ |
| 120 | int nErr = 0; |
| 121 | int bPrivate = 0; /* Also clone private branches */ |
| 122 | int urlFlags = URL_PROMPT_PW | URL_REMEMBER; |
| 123 | |
| 124 | if( find_option("private",0,0)!=0 ) bPrivate = SYNC_PRIVATE; |
| 125 | if( find_option("once",0,0)!=0) urlFlags &= ~URL_REMEMBER; |
| 126 | zDefaultUser = find_option("admin-user","A",1); |
| 127 | clone_ssh_find_options(); |
| 128 | url_proxy_options(); |
| 129 | if( g.argc < 4 ){ |
| 130 | usage("?OPTIONS? FILE-OR-URL NEW-REPOSITORY"); |
| @@ -159,10 +162,11 @@ | |
| 159 | db_initial_setup(0, 0, zDefaultUser, 0); |
| 160 | user_select(); |
| 161 | db_set("content-schema", CONTENT_SCHEMA, 0); |
| 162 | db_set("aux-schema", AUX_SCHEMA, 0); |
| 163 | db_set("rebuilt", get_version(), 0); |
| 164 | url_remember(); |
| 165 | if( g.zSSLIdentity!=0 ){ |
| 166 | /* If the --ssl-identity option was specified, store it as a setting */ |
| 167 | Blob fn; |
| 168 | blob_zero(&fn); |
| @@ -195,10 +199,23 @@ | |
| 195 | fossil_print("project-id: %s\n", db_get("project-code", 0)); |
| 196 | zPassword = db_text(0, "SELECT pw FROM user WHERE login=%Q", g.zLogin); |
| 197 | fossil_print("admin-user: %s (password is \"%s\")\n", g.zLogin, zPassword); |
| 198 | db_end_transaction(0); |
| 199 | } |
| 200 | |
| 201 | /* |
| 202 | ** Look for SSH clone command line options and setup in globals. |
| 203 | */ |
| 204 | void clone_ssh_find_options(void){ |
| 205 |
| --- src/clone.c | |
| +++ src/clone.c | |
| @@ -109,22 +109,25 @@ | |
| 109 | ** --admin-user|-A USERNAME Make USERNAME the administrator |
| 110 | ** --once Don't save url. |
| 111 | ** --private Also clone private branches |
| 112 | ** --ssl-identity=filename Use the SSL identity if requested by the server |
| 113 | ** --ssh-command|-c 'command' Use this SSH command |
| 114 | ** --httpauth|-B Add HTTP Basic Authorization to requests |
| 115 | ** |
| 116 | ** See also: init |
| 117 | */ |
| 118 | void clone_cmd(void){ |
| 119 | char *zPassword; |
| 120 | const char *zDefaultUser; /* Optional name of the default user */ |
| 121 | int fUseHttpAuth; /* Use HTTP auth if requested by user */ |
| 122 | int nErr = 0; |
| 123 | int bPrivate = 0; /* Also clone private branches */ |
| 124 | int urlFlags = URL_PROMPT_PW | URL_REMEMBER; |
| 125 | |
| 126 | if( find_option("private",0,0)!=0 ) bPrivate = SYNC_PRIVATE; |
| 127 | if( find_option("once",0,0)!=0) urlFlags &= ~URL_REMEMBER; |
| 128 | fUseHttpAuth = find_option("httpauth","B",0)!=0; |
| 129 | zDefaultUser = find_option("admin-user","A",1); |
| 130 | clone_ssh_find_options(); |
| 131 | url_proxy_options(); |
| 132 | if( g.argc < 4 ){ |
| 133 | usage("?OPTIONS? FILE-OR-URL NEW-REPOSITORY"); |
| @@ -159,10 +162,11 @@ | |
| 162 | db_initial_setup(0, 0, zDefaultUser, 0); |
| 163 | user_select(); |
| 164 | db_set("content-schema", CONTENT_SCHEMA, 0); |
| 165 | db_set("aux-schema", AUX_SCHEMA, 0); |
| 166 | db_set("rebuilt", get_version(), 0); |
| 167 | remember_http_auth(fUseHttpAuth,g.argv[2]); |
| 168 | url_remember(); |
| 169 | if( g.zSSLIdentity!=0 ){ |
| 170 | /* If the --ssl-identity option was specified, store it as a setting */ |
| 171 | Blob fn; |
| 172 | blob_zero(&fn); |
| @@ -195,10 +199,23 @@ | |
| 199 | fossil_print("project-id: %s\n", db_get("project-code", 0)); |
| 200 | zPassword = db_text(0, "SELECT pw FROM user WHERE login=%Q", g.zLogin); |
| 201 | fossil_print("admin-user: %s (password is \"%s\")\n", g.zLogin, zPassword); |
| 202 | db_end_transaction(0); |
| 203 | } |
| 204 | |
| 205 | /* |
| 206 | ** If user chooses to use HTTP Authentication over unencrypted HTTP, |
| 207 | ** remember decision. Otherwise, if the URL is being changed and no preference |
| 208 | ** has been indicated, err on the safe side and revert the decision. |
| 209 | */ |
| 210 | void remember_http_auth(int fUseHttpAuth, const char *zUrl){ |
| 211 | if( fUseHttpAuth==1 ){ |
| 212 | db_set_int("use-http-auth", 1, 0); |
| 213 | }else if( zUrl && zUrl[0] ){ |
| 214 | db_unset("use-http-auth", 0); |
| 215 | } |
| 216 | } |
| 217 | |
| 218 | /* |
| 219 | ** Look for SSH clone command line options and setup in globals. |
| 220 | */ |
| 221 | void clone_ssh_find_options(void){ |
| 222 |
+11
-5
| --- src/http.c | ||
| +++ src/http.c | ||
| @@ -205,16 +205,22 @@ | ||
| 205 | 205 | while( (zLine = transport_receive_line(GLOBAL_URL()))!=0 && zLine[0]!=0 ){ |
| 206 | 206 | /* printf("[%s]\n", zLine); fflush(stdout); */ |
| 207 | 207 | if( fossil_strnicmp(zLine, "http/1.", 7)==0 ){ |
| 208 | 208 | if( sscanf(zLine, "HTTP/1.%d %d", &iHttpVersion, &rc)!=2 ) goto write_err; |
| 209 | 209 | if( rc==401 ){ |
| 210 | - fUseHttpAuth = 1; | |
| 211 | - transport_close(GLOBAL_URL()); | |
| 212 | - if( --maxRedirect == 0 ){ | |
| 213 | - fossil_fatal("http authorization limit exceeded"); | |
| 210 | + if( g.urlIsHttps || db_get_boolean("use-http-auth",0)!=0 ){ | |
| 211 | + fUseHttpAuth = 1; | |
| 212 | + transport_close(GLOBAL_URL()); | |
| 213 | + if( --maxRedirect == 0 ){ | |
| 214 | + fossil_fatal("http authorization limit exceeded"); | |
| 215 | + } | |
| 216 | + return http_exchange(pSend, pReply, useLogin, maxRedirect); | |
| 217 | + }else{ | |
| 218 | + fossil_warning( | |
| 219 | + "Authorization over unencrypted HTTP requested; " | |
| 220 | + "use --httpauth if appropriate."); | |
| 214 | 221 | } |
| 215 | - return http_exchange(pSend, pReply, useLogin, maxRedirect); | |
| 216 | 222 | } |
| 217 | 223 | if( rc!=200 && rc!=302 ){ |
| 218 | 224 | int ii; |
| 219 | 225 | for(ii=7; zLine[ii] && zLine[ii]!=' '; ii++){} |
| 220 | 226 | while( zLine[ii]==' ' ) ii++; |
| 221 | 227 |
| --- src/http.c | |
| +++ src/http.c | |
| @@ -205,16 +205,22 @@ | |
| 205 | while( (zLine = transport_receive_line(GLOBAL_URL()))!=0 && zLine[0]!=0 ){ |
| 206 | /* printf("[%s]\n", zLine); fflush(stdout); */ |
| 207 | if( fossil_strnicmp(zLine, "http/1.", 7)==0 ){ |
| 208 | if( sscanf(zLine, "HTTP/1.%d %d", &iHttpVersion, &rc)!=2 ) goto write_err; |
| 209 | if( rc==401 ){ |
| 210 | fUseHttpAuth = 1; |
| 211 | transport_close(GLOBAL_URL()); |
| 212 | if( --maxRedirect == 0 ){ |
| 213 | fossil_fatal("http authorization limit exceeded"); |
| 214 | } |
| 215 | return http_exchange(pSend, pReply, useLogin, maxRedirect); |
| 216 | } |
| 217 | if( rc!=200 && rc!=302 ){ |
| 218 | int ii; |
| 219 | for(ii=7; zLine[ii] && zLine[ii]!=' '; ii++){} |
| 220 | while( zLine[ii]==' ' ) ii++; |
| 221 |
| --- src/http.c | |
| +++ src/http.c | |
| @@ -205,16 +205,22 @@ | |
| 205 | while( (zLine = transport_receive_line(GLOBAL_URL()))!=0 && zLine[0]!=0 ){ |
| 206 | /* printf("[%s]\n", zLine); fflush(stdout); */ |
| 207 | if( fossil_strnicmp(zLine, "http/1.", 7)==0 ){ |
| 208 | if( sscanf(zLine, "HTTP/1.%d %d", &iHttpVersion, &rc)!=2 ) goto write_err; |
| 209 | if( rc==401 ){ |
| 210 | if( g.urlIsHttps || db_get_boolean("use-http-auth",0)!=0 ){ |
| 211 | fUseHttpAuth = 1; |
| 212 | transport_close(GLOBAL_URL()); |
| 213 | if( --maxRedirect == 0 ){ |
| 214 | fossil_fatal("http authorization limit exceeded"); |
| 215 | } |
| 216 | return http_exchange(pSend, pReply, useLogin, maxRedirect); |
| 217 | }else{ |
| 218 | fossil_warning( |
| 219 | "Authorization over unencrypted HTTP requested; " |
| 220 | "use --httpauth if appropriate."); |
| 221 | } |
| 222 | } |
| 223 | if( rc!=200 && rc!=302 ){ |
| 224 | int ii; |
| 225 | for(ii=7; zLine[ii] && zLine[ii]!=' '; ii++){} |
| 226 | while( zLine[ii]==' ' ) ii++; |
| 227 |
+3
| --- src/sync.c | ||
| +++ src/sync.c | ||
| @@ -83,17 +83,19 @@ | ||
| 83 | 83 | ** of a server to sync against. If no argument is given, use the |
| 84 | 84 | ** most recently synced URL. Remember the current URL for next time. |
| 85 | 85 | */ |
| 86 | 86 | static void process_sync_args(unsigned *pConfigFlags, unsigned *pSyncFlags){ |
| 87 | 87 | const char *zUrl = 0; |
| 88 | + int fUseHttpAuth; /* Use HTTP auth if requested by user */ | |
| 88 | 89 | unsigned configSync = 0; |
| 89 | 90 | unsigned urlFlags = URL_REMEMBER | URL_PROMPT_PW; |
| 90 | 91 | int urlOptional = 0; |
| 91 | 92 | if( find_option("autourl",0,0)!=0 ){ |
| 92 | 93 | urlOptional = 1; |
| 93 | 94 | urlFlags = 0; |
| 94 | 95 | } |
| 96 | + fUseHttpAuth = find_option("httpauth",0,0)!=0; | |
| 95 | 97 | if( find_option("once",0,0)!=0 ) urlFlags &= ~URL_REMEMBER; |
| 96 | 98 | if( find_option("private",0,0)!=0 ){ |
| 97 | 99 | *pSyncFlags |= SYNC_PRIVATE; |
| 98 | 100 | } |
| 99 | 101 | if( find_option("verbose","v",0)!=0 ){ |
| @@ -116,10 +118,11 @@ | ||
| 116 | 118 | } |
| 117 | 119 | if( urlFlags & URL_REMEMBER ){ |
| 118 | 120 | clone_ssh_db_set_options(); |
| 119 | 121 | } |
| 120 | 122 | url_parse(zUrl, urlFlags); |
| 123 | + remember_http_auth(fUseHttpAuth,zUrl); | |
| 121 | 124 | url_remember(); |
| 122 | 125 | if( g.urlProtocol==0 ){ |
| 123 | 126 | if( urlOptional ) fossil_exit(0); |
| 124 | 127 | usage("URL"); |
| 125 | 128 | } |
| 126 | 129 |
| --- src/sync.c | |
| +++ src/sync.c | |
| @@ -83,17 +83,19 @@ | |
| 83 | ** of a server to sync against. If no argument is given, use the |
| 84 | ** most recently synced URL. Remember the current URL for next time. |
| 85 | */ |
| 86 | static void process_sync_args(unsigned *pConfigFlags, unsigned *pSyncFlags){ |
| 87 | const char *zUrl = 0; |
| 88 | unsigned configSync = 0; |
| 89 | unsigned urlFlags = URL_REMEMBER | URL_PROMPT_PW; |
| 90 | int urlOptional = 0; |
| 91 | if( find_option("autourl",0,0)!=0 ){ |
| 92 | urlOptional = 1; |
| 93 | urlFlags = 0; |
| 94 | } |
| 95 | if( find_option("once",0,0)!=0 ) urlFlags &= ~URL_REMEMBER; |
| 96 | if( find_option("private",0,0)!=0 ){ |
| 97 | *pSyncFlags |= SYNC_PRIVATE; |
| 98 | } |
| 99 | if( find_option("verbose","v",0)!=0 ){ |
| @@ -116,10 +118,11 @@ | |
| 116 | } |
| 117 | if( urlFlags & URL_REMEMBER ){ |
| 118 | clone_ssh_db_set_options(); |
| 119 | } |
| 120 | url_parse(zUrl, urlFlags); |
| 121 | url_remember(); |
| 122 | if( g.urlProtocol==0 ){ |
| 123 | if( urlOptional ) fossil_exit(0); |
| 124 | usage("URL"); |
| 125 | } |
| 126 |
| --- src/sync.c | |
| +++ src/sync.c | |
| @@ -83,17 +83,19 @@ | |
| 83 | ** of a server to sync against. If no argument is given, use the |
| 84 | ** most recently synced URL. Remember the current URL for next time. |
| 85 | */ |
| 86 | static void process_sync_args(unsigned *pConfigFlags, unsigned *pSyncFlags){ |
| 87 | const char *zUrl = 0; |
| 88 | int fUseHttpAuth; /* Use HTTP auth if requested by user */ |
| 89 | unsigned configSync = 0; |
| 90 | unsigned urlFlags = URL_REMEMBER | URL_PROMPT_PW; |
| 91 | int urlOptional = 0; |
| 92 | if( find_option("autourl",0,0)!=0 ){ |
| 93 | urlOptional = 1; |
| 94 | urlFlags = 0; |
| 95 | } |
| 96 | fUseHttpAuth = find_option("httpauth",0,0)!=0; |
| 97 | if( find_option("once",0,0)!=0 ) urlFlags &= ~URL_REMEMBER; |
| 98 | if( find_option("private",0,0)!=0 ){ |
| 99 | *pSyncFlags |= SYNC_PRIVATE; |
| 100 | } |
| 101 | if( find_option("verbose","v",0)!=0 ){ |
| @@ -116,10 +118,11 @@ | |
| 118 | } |
| 119 | if( urlFlags & URL_REMEMBER ){ |
| 120 | clone_ssh_db_set_options(); |
| 121 | } |
| 122 | url_parse(zUrl, urlFlags); |
| 123 | remember_http_auth(fUseHttpAuth,zUrl); |
| 124 | url_remember(); |
| 125 | if( g.urlProtocol==0 ){ |
| 126 | if( urlOptional ) fossil_exit(0); |
| 127 | usage("URL"); |
| 128 | } |
| 129 |