Fossil SCM

Fix CGI processing so that requests sent over SSH process query parameters. Add the --ssh-sim option to the test-http command (used to debug the previous). Harden the "fossil get" command so that it can checks filenames and does not write a file that is outside of the designated --dest.

drh 2025-10-15 21:33 get-command

Commit 9a767601780a07700db90595857d5f48bf444b6241d1b9bf629a76f2f12b8147

Parent 8028c868d3c0551…

3 files changed +3 +7 -5 +4

~ src/cgi.c ~ src/checkout.c ~ src/main.c

M src/cgi.c

		--- src/cgi.c
		+++ src/cgi.c
		@@ -2363,12 +2363,14 @@
2363	2363
2364	2364	for(i=0; zToken[i] && zToken[i]!='?'; i++){}
2365	2365	if( zToken[i] ) zToken[i++] = 0;
2366	2366	if( nCycles==0 ){
2367	2367	cgi_setenv("PATH_INFO", zToken);
	2368	+ cgi_setenv("QUERY_STRING",&zToken[i]);
2368	2369	}else{
2369	2370	cgi_replace_parameter("PATH_INFO", fossil_strdup(zToken));
	2371	+ cgi_replace_parameter("QUERY_STRING",fossil_strdup(&zToken[i]));
2370	2372	}
2371	2373
2372	2374	/* Get all the optional fields that follow the first line.
2373	2375	*/
2374	2376	while( fgets(zLine,sizeof(zLine),g.httpIn) ){
		@@ -2428,10 +2430,11 @@
2428	2430	blob_read_from_channel(&g.cgiIn, g.httpIn, content_length);
2429	2431	}else if( fossil_strcmp(zType, "application/x-fossil-uncompressed")==0 ){
2430	2432	blob_read_from_channel(&g.cgiIn, g.httpIn, content_length);
2431	2433	}
2432	2434	}
	2435	+ cgi_init();
2433	2436	cgi_trace(0);
2434	2437	nCycles++;
2435	2438	}
2436	2439
2437	2440	/*
2438	2441

	--- src/cgi.c
	+++ src/cgi.c
	@@ -2363,12 +2363,14 @@
2363
2364	for(i=0; zToken[i] && zToken[i]!='?'; i++){}
2365	if( zToken[i] ) zToken[i++] = 0;
2366	if( nCycles==0 ){
2367	cgi_setenv("PATH_INFO", zToken);

2368	}else{
2369	cgi_replace_parameter("PATH_INFO", fossil_strdup(zToken));

2370	}
2371
2372	/* Get all the optional fields that follow the first line.
2373	*/
2374	while( fgets(zLine,sizeof(zLine),g.httpIn) ){
	@@ -2428,10 +2430,11 @@
2428	blob_read_from_channel(&g.cgiIn, g.httpIn, content_length);
2429	}else if( fossil_strcmp(zType, "application/x-fossil-uncompressed")==0 ){
2430	blob_read_from_channel(&g.cgiIn, g.httpIn, content_length);
2431	}
2432	}

2433	cgi_trace(0);
2434	nCycles++;
2435	}
2436
2437	/*
2438

	--- src/cgi.c
	+++ src/cgi.c
	@@ -2363,12 +2363,14 @@
2363
2364	for(i=0; zToken[i] && zToken[i]!='?'; i++){}
2365	if( zToken[i] ) zToken[i++] = 0;
2366	if( nCycles==0 ){
2367	cgi_setenv("PATH_INFO", zToken);
2368	cgi_setenv("QUERY_STRING",&zToken[i]);
2369	}else{
2370	cgi_replace_parameter("PATH_INFO", fossil_strdup(zToken));
2371	cgi_replace_parameter("QUERY_STRING",fossil_strdup(&zToken[i]));
2372	}
2373
2374	/* Get all the optional fields that follow the first line.
2375	*/
2376	while( fgets(zLine,sizeof(zLine),g.httpIn) ){
	@@ -2428,10 +2430,11 @@
2430	blob_read_from_channel(&g.cgiIn, g.httpIn, content_length);
2431	}else if( fossil_strcmp(zType, "application/x-fossil-uncompressed")==0 ){
2432	blob_read_from_channel(&g.cgiIn, g.httpIn, content_length);
2433	}
2434	}
2435	cgi_init();
2436	cgi_trace(0);
2437	nCycles++;
2438	}
2439
2440	/*
2441

M src/checkout.c

+7 -5

		--- src/checkout.c
		+++ src/checkout.c
		@@ -472,10 +472,11 @@
472	472	int bDebug = find_option("debug",0,0)!=0;
473	473	int bList = find_option("list",0,0)!=0;
474	474	const char *zSqlArchive = find_option("sqlar",0,1);
475	475	const char *z;
476	476	char zDest = 0; / Where to store results */
	477	+ char zSql; / SQL used to query the results */
477	478	const char zUrl; / Url to get */
478	479	const char zVers; / Version name to get */
479	480	unsigned int mHttpFlags = HTTP_GENERIC\|HTTP_NOCOMPRESS;
480	481	Blob in, out; /* I/O for the HTTP request */
481	482	Blob file; /* A file to extract */
		@@ -541,11 +542,11 @@
541	542	}
542	543	}
543	544
544	545	/* Construct a subpath on the URL if necessary */
545	546	if( g.url.isSsh \|\| g.url.isFile ){
546		- g.url.subpath = mprintf("/sqlar/%t/%t.sqlar", zVers, zDest);
	547	+ g.url.subpath = mprintf("/sqlar?r=%t&name=%t.sqlar", zVers, zDest);
547	548	}
548	549
549	550	if( bDebug ){
550	551	urlparse_print(0);
551	552	}
		@@ -571,13 +572,14 @@
571	572	}
572	573	if( rc!=SQLITE_OK ){
573	574	fossil_fatal("Cannot create an in-memory database: %s",
574	575	sqlite3_errmsg(db));
575	576	}
576		- rc = sqlite3_prepare_v2(db,
577		- "SELECT name, mode, sz, data"
578		- " FROM sqlar", -1, &pStmt, 0);
	577	+ zSql = mprintf("SELECT name, mode, sz, data FROM sqlar"
	578	+ " WHERE name GLOB '%q*'", zDest);
	579	+ rc = sqlite3_prepare_v2(db, zSql, -1, &pStmt, 0);
	580	+ fossil_free(zSql);
579	581	if( rc!=0 ){
580	582	fossil_fatal("SQL error: %s\n", sqlite3_errmsg(db));
581	583	}
582	584	blob_init(&file, 0, 0);
583	585	while( sqlite3_step(pStmt)==SQLITE_ROW ){
		@@ -584,11 +586,11 @@
584	586	const char zFilename = (const char)sqlite3_column_text(pStmt, 0);
585	587	int mode = sqlite3_column_int(pStmt, 1);
586	588	int sz = sqlite3_column_int(pStmt, 2);
587	589	if( bList ){
588	590	fossil_print("%s\n", zFilename);
589		- }else if( mode & 0x4000 ){
	591	+ }else if( mode & 0x4000 ){
590	592	/* A directory name */
591	593	nDir++;
592	594	file_mkdir(zFilename, ExtFILE, 1);
593	595	}else{
594	596	/* A file */
595	597

	--- src/checkout.c
	+++ src/checkout.c
	@@ -472,10 +472,11 @@
472	int bDebug = find_option("debug",0,0)!=0;
473	int bList = find_option("list",0,0)!=0;
474	const char *zSqlArchive = find_option("sqlar",0,1);
475	const char *z;
476	char zDest = 0; / Where to store results */

477	const char zUrl; / Url to get */
478	const char zVers; / Version name to get */
479	unsigned int mHttpFlags = HTTP_GENERIC\|HTTP_NOCOMPRESS;
480	Blob in, out; /* I/O for the HTTP request */
481	Blob file; /* A file to extract */
	@@ -541,11 +542,11 @@
541	}
542	}
543
544	/* Construct a subpath on the URL if necessary */
545	if( g.url.isSsh \|\| g.url.isFile ){
546	g.url.subpath = mprintf("/sqlar/%t/%t.sqlar", zVers, zDest);
547	}
548
549	if( bDebug ){
550	urlparse_print(0);
551	}
	@@ -571,13 +572,14 @@
571	}
572	if( rc!=SQLITE_OK ){
573	fossil_fatal("Cannot create an in-memory database: %s",
574	sqlite3_errmsg(db));
575	}
576	rc = sqlite3_prepare_v2(db,
577	"SELECT name, mode, sz, data"
578	" FROM sqlar", -1, &pStmt, 0);

579	if( rc!=0 ){
580	fossil_fatal("SQL error: %s\n", sqlite3_errmsg(db));
581	}
582	blob_init(&file, 0, 0);
583	while( sqlite3_step(pStmt)==SQLITE_ROW ){
	@@ -584,11 +586,11 @@
584	const char zFilename = (const char)sqlite3_column_text(pStmt, 0);
585	int mode = sqlite3_column_int(pStmt, 1);
586	int sz = sqlite3_column_int(pStmt, 2);
587	if( bList ){
588	fossil_print("%s\n", zFilename);
589	}else if( mode & 0x4000 ){
590	/* A directory name */
591	nDir++;
592	file_mkdir(zFilename, ExtFILE, 1);
593	}else{
594	/* A file */
595

	--- src/checkout.c
	+++ src/checkout.c
	@@ -472,10 +472,11 @@
472	int bDebug = find_option("debug",0,0)!=0;
473	int bList = find_option("list",0,0)!=0;
474	const char *zSqlArchive = find_option("sqlar",0,1);
475	const char *z;
476	char zDest = 0; / Where to store results */
477	char zSql; / SQL used to query the results */
478	const char zUrl; / Url to get */
479	const char zVers; / Version name to get */
480	unsigned int mHttpFlags = HTTP_GENERIC\|HTTP_NOCOMPRESS;
481	Blob in, out; /* I/O for the HTTP request */
482	Blob file; /* A file to extract */
	@@ -541,11 +542,11 @@
542	}
543	}
544
545	/* Construct a subpath on the URL if necessary */
546	if( g.url.isSsh \|\| g.url.isFile ){
547	g.url.subpath = mprintf("/sqlar?r=%t&name=%t.sqlar", zVers, zDest);
548	}
549
550	if( bDebug ){
551	urlparse_print(0);
552	}
	@@ -571,13 +572,14 @@
572	}
573	if( rc!=SQLITE_OK ){
574	fossil_fatal("Cannot create an in-memory database: %s",
575	sqlite3_errmsg(db));
576	}
577	zSql = mprintf("SELECT name, mode, sz, data FROM sqlar"
578	" WHERE name GLOB '%q*'", zDest);
579	rc = sqlite3_prepare_v2(db, zSql, -1, &pStmt, 0);
580	fossil_free(zSql);
581	if( rc!=0 ){
582	fossil_fatal("SQL error: %s\n", sqlite3_errmsg(db));
583	}
584	blob_init(&file, 0, 0);
585	while( sqlite3_step(pStmt)==SQLITE_ROW ){
	@@ -584,11 +586,11 @@
586	const char zFilename = (const char)sqlite3_column_text(pStmt, 0);
587	int mode = sqlite3_column_int(pStmt, 1);
588	int sz = sqlite3_column_int(pStmt, 2);
589	if( bList ){
590	fossil_print("%s\n", zFilename);
591	}else if( mode & 0x4000 ){
592	/* A directory name */
593	nDir++;
594	file_mkdir(zFilename, ExtFILE, 1);
595	}else{
596	/* A file */
597

M src/main.c

		--- src/main.c
		+++ src/main.c
		@@ -3101,10 +3101,11 @@
3101	3101	** breaking legacy.
3102	3102	**
3103	3103	** Options:
3104	3104	** --csrf-safe N Set cgi_csrf_safe() to to return N
3105	3105	** --nobody Pretend to be user "nobody"
	3106	+** --ssh-sim Pretend to be over an SSH connection
3106	3107	** --test Do not do special "sync" processing when operating
3107	3108	** over an SSH link
3108	3109	** --th-trace Trace TH1 execution (for debugging purposes)
3109	3110	** --usercap CAP User capability string (Default: "sxy")
3110	3111	*/
		@@ -3112,10 +3113,13 @@
3112	3113	const char zIpAddr; / IP address of remote client */
3113	3114	const char *zUserCap;
3114	3115	int bTest = 0;
3115	3116	const char *zCsrfSafe = find_option("csrf-safe",0,1);
3116	3117
	3118	+ if( find_option("ssh-sim",0,0)!=0 ){
	3119	+ putenv("SSH_CONNECTION=127.0.0.1 12345 127.0.0.2 23456");
	3120	+ }
3117	3121	Th_InitTraceLog();
3118	3122	if( zCsrfSafe ) g.okCsrf = atoi(zCsrfSafe);
3119	3123	zUserCap = find_option("usercap",0,1);
3120	3124	if( !find_option("nobody",0,0) ){
3121	3125	if( zUserCap==0 ){
3122	3126

	--- src/main.c
	+++ src/main.c
	@@ -3101,10 +3101,11 @@
3101	** breaking legacy.
3102	**
3103	** Options:
3104	** --csrf-safe N Set cgi_csrf_safe() to to return N
3105	** --nobody Pretend to be user "nobody"

3106	** --test Do not do special "sync" processing when operating
3107	** over an SSH link
3108	** --th-trace Trace TH1 execution (for debugging purposes)
3109	** --usercap CAP User capability string (Default: "sxy")
3110	*/
	@@ -3112,10 +3113,13 @@
3112	const char zIpAddr; / IP address of remote client */
3113	const char *zUserCap;
3114	int bTest = 0;
3115	const char *zCsrfSafe = find_option("csrf-safe",0,1);
3116



3117	Th_InitTraceLog();
3118	if( zCsrfSafe ) g.okCsrf = atoi(zCsrfSafe);
3119	zUserCap = find_option("usercap",0,1);
3120	if( !find_option("nobody",0,0) ){
3121	if( zUserCap==0 ){
3122

	--- src/main.c
	+++ src/main.c
	@@ -3101,10 +3101,11 @@
3101	** breaking legacy.
3102	**
3103	** Options:
3104	** --csrf-safe N Set cgi_csrf_safe() to to return N
3105	** --nobody Pretend to be user "nobody"
3106	** --ssh-sim Pretend to be over an SSH connection
3107	** --test Do not do special "sync" processing when operating
3108	** over an SSH link
3109	** --th-trace Trace TH1 execution (for debugging purposes)
3110	** --usercap CAP User capability string (Default: "sxy")
3111	*/
	@@ -3112,10 +3113,13 @@
3113	const char zIpAddr; / IP address of remote client */
3114	const char *zUserCap;
3115	int bTest = 0;
3116	const char *zCsrfSafe = find_option("csrf-safe",0,1);
3117
3118	if( find_option("ssh-sim",0,0)!=0 ){
3119	putenv("SSH_CONNECTION=127.0.0.1 12345 127.0.0.2 23456");
3120	}
3121	Th_InitTraceLog();
3122	if( zCsrfSafe ) g.okCsrf = atoi(zCsrfSafe);
3123	zUserCap = find_option("usercap",0,1);
3124	if( !find_option("nobody",0,0) ){
3125	if( zUserCap==0 ){
3126

Fossil SCM

Keyboard Shortcuts