Fossil SCM
Update the change log for version 2.27
Commit
a403e11b6fcaef07c53c175a21ba14c66d3963e76b4fbd0f4f15ca8877f7b849
Parent
a6d506ecc424277…
1 file changed
+17
-4
+17
-4
| --- www/changes.wiki | ||
| +++ www/changes.wiki | ||
| @@ -1,11 +1,24 @@ | ||
| 1 | 1 | <title>Change Log</title> |
| 2 | 2 | |
| 3 | -<h2 id='v2_27'>Changes for version 2.27 (pending)</h2> | |
| 4 | - | |
| 5 | - * Enhance the chng= query parameter on the [/help?cmd=/timeline|timeline page] | |
| 6 | - so that it works with other query parameters like p=, d=, from=, and to=. | |
| 3 | +<h2 id='v2_27'>Changes for version 2.27 (pending)</h2><ol> | |
| 4 | + <li> Fix a SQL injection on the [/help?cmd=/file|/file page]. Thanks to | |
| 5 | + additional defenses built into Fossil, as well as good luck, this injection | |
| 6 | + is not exploitable for either data exfiltration or privilege escalation. The | |
| 7 | + only possible result of invoking the injection is a harmless SQL syntax error. | |
| 8 | + (The [https://en.wikipedia.org/wiki/Swiss_cheese_model|holes in the Swiss cheese] | |
| 9 | + did not line up!) | |
| 10 | + <li> Enhance the chng= query parameter on the [/help?cmd=/timeline|timeline page] | |
| 11 | + so that it works with other query parameters like p=, d=, from=, and to=. | |
| 12 | + <li> Always include nodes identify by sel1= and sel2= in the /timeline display. | |
| 13 | + <li> Enable the --editor option on the [/help?cmd=amend|fossil amend] command. | |
| 14 | + <li> Require at least an anonymous login to access the /blame page and similar, | |
| 15 | + to help prevent robots from soaking up excess CPU time on such pages. | |
| 16 | + <li> When walking the filesystem looking for Fossil repositories, avoid descending | |
| 17 | + into directories named "/proc". | |
| 18 | + </ol> | |
| 19 | + | |
| 7 | 20 | |
| 8 | 21 | <h2 id='v2_26'>Changes for version 2.26 (2025-04-30)</h2><ol> |
| 9 | 22 | <li>Enhancements to [/help?cmd=diff|fossil diff] and similar: |
| 10 | 23 | <ol type="a"> |
| 11 | 24 | <li> The argument to the --from option can be a directory name, causing |
| 12 | 25 |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,11 +1,24 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_27'>Changes for version 2.27 (pending)</h2> |
| 4 | |
| 5 | * Enhance the chng= query parameter on the [/help?cmd=/timeline|timeline page] |
| 6 | so that it works with other query parameters like p=, d=, from=, and to=. |
| 7 | |
| 8 | <h2 id='v2_26'>Changes for version 2.26 (2025-04-30)</h2><ol> |
| 9 | <li>Enhancements to [/help?cmd=diff|fossil diff] and similar: |
| 10 | <ol type="a"> |
| 11 | <li> The argument to the --from option can be a directory name, causing |
| 12 |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,11 +1,24 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_27'>Changes for version 2.27 (pending)</h2><ol> |
| 4 | <li> Fix a SQL injection on the [/help?cmd=/file|/file page]. Thanks to |
| 5 | additional defenses built into Fossil, as well as good luck, this injection |
| 6 | is not exploitable for either data exfiltration or privilege escalation. The |
| 7 | only possible result of invoking the injection is a harmless SQL syntax error. |
| 8 | (The [https://en.wikipedia.org/wiki/Swiss_cheese_model|holes in the Swiss cheese] |
| 9 | did not line up!) |
| 10 | <li> Enhance the chng= query parameter on the [/help?cmd=/timeline|timeline page] |
| 11 | so that it works with other query parameters like p=, d=, from=, and to=. |
| 12 | <li> Always include nodes identify by sel1= and sel2= in the /timeline display. |
| 13 | <li> Enable the --editor option on the [/help?cmd=amend|fossil amend] command. |
| 14 | <li> Require at least an anonymous login to access the /blame page and similar, |
| 15 | to help prevent robots from soaking up excess CPU time on such pages. |
| 16 | <li> When walking the filesystem looking for Fossil repositories, avoid descending |
| 17 | into directories named "/proc". |
| 18 | </ol> |
| 19 | |
| 20 | |
| 21 | <h2 id='v2_26'>Changes for version 2.26 (2025-04-30)</h2><ol> |
| 22 | <li>Enhancements to [/help?cmd=diff|fossil diff] and similar: |
| 23 | <ol type="a"> |
| 24 | <li> The argument to the --from option can be a directory name, causing |
| 25 |