Fossil SCM
Add the capability (disabled by default) to accept REMOTE_USER as an authenticated user. Ticket [49929a3557a]
Commit
a5a1ff1b4b5a1ae0f69d86feead0d755e25fa248
Parent
42bbfe9d64ebb67…
2 files changed
+11
+15
-7
+11
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -397,10 +397,21 @@ | ||
| 397 | 397 | ); |
| 398 | 398 | blob_reset(&b); |
| 399 | 399 | } |
| 400 | 400 | sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "%.10s", zCookie); |
| 401 | 401 | } |
| 402 | + | |
| 403 | + /* If no user found and the REMOTE_USER environment variable is set, | |
| 404 | + ** the accept the value of REMOTE_USER as the user. | |
| 405 | + */ | |
| 406 | + if( uid==0 ){ | |
| 407 | + const char *zRemoteUser = P("REMOTE_USER"); | |
| 408 | + if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){ | |
| 409 | + uid = db_int(0, "SELECT uid FROM user WHERE login=%Q" | |
| 410 | + " AND length(cap)>0 AND length(pw)>0", zRemoteUser); | |
| 411 | + } | |
| 412 | + } | |
| 402 | 413 | |
| 403 | 414 | /* If no user found yet, try to log in as "nobody" */ |
| 404 | 415 | if( uid==0 ){ |
| 405 | 416 | uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'"); |
| 406 | 417 | if( uid==0 ){ |
| 407 | 418 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -397,10 +397,21 @@ | |
| 397 | ); |
| 398 | blob_reset(&b); |
| 399 | } |
| 400 | sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "%.10s", zCookie); |
| 401 | } |
| 402 | |
| 403 | /* If no user found yet, try to log in as "nobody" */ |
| 404 | if( uid==0 ){ |
| 405 | uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'"); |
| 406 | if( uid==0 ){ |
| 407 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -397,10 +397,21 @@ | |
| 397 | ); |
| 398 | blob_reset(&b); |
| 399 | } |
| 400 | sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "%.10s", zCookie); |
| 401 | } |
| 402 | |
| 403 | /* If no user found and the REMOTE_USER environment variable is set, |
| 404 | ** the accept the value of REMOTE_USER as the user. |
| 405 | */ |
| 406 | if( uid==0 ){ |
| 407 | const char *zRemoteUser = P("REMOTE_USER"); |
| 408 | if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){ |
| 409 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q" |
| 410 | " AND length(cap)>0 AND length(pw)>0", zRemoteUser); |
| 411 | } |
| 412 | } |
| 413 | |
| 414 | /* If no user found yet, try to log in as "nobody" */ |
| 415 | if( uid==0 ){ |
| 416 | uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'"); |
| 417 | if( uid==0 ){ |
| 418 |
+15
-7
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -738,17 +738,16 @@ | ||
| 738 | 738 | @ from the ~/.fossil database. Password login is always required |
| 739 | 739 | @ for incoming web connections on internet addresses other than |
| 740 | 740 | @ 127.0.0.1.</p></li> |
| 741 | 741 | |
| 742 | 742 | @ <hr> |
| 743 | - onoff_attribute("Show javascript button to fill in CAPTCHA", | |
| 744 | - "auto-captcha", "autocaptcha", 0); | |
| 745 | - @ <p>When enabled, a button appears on the login screen for user | |
| 746 | - @ "anonymous" that will automatically fill in the CAPTCHA password. | |
| 747 | - @ This is less secure that forcing the user to do it manually, but is | |
| 748 | - @ probably secure enough and it is certainly more convenient for | |
| 749 | - @ anonymous users.</p> | |
| 743 | + onoff_attribute("Allow REMOTE_USER authentication", | |
| 744 | + "remote_user_ok", "remote_user_ok", 0); | |
| 745 | + @ <p>When enabled, if the REMOTE_USER environment variable is set to the | |
| 746 | + @ login name of a valid user and no other login credentials are available, | |
| 747 | + @ then the REMOTE_USER is accepted as an authenticated user. | |
| 748 | + @ </p></li> | |
| 750 | 749 | |
| 751 | 750 | @ <hr> |
| 752 | 751 | entry_attribute("Login expiration time", 6, "cookie-expire", "cex", "8766"); |
| 753 | 752 | @ <p>The number of hours for which a login is valid. This must be a |
| 754 | 753 | @ positive number. The default is 8760 hours which is approximately equal |
| @@ -761,10 +760,19 @@ | ||
| 761 | 760 | @ to this many bytes, uncompressed. If the client requires more data |
| 762 | 761 | @ than this, then the client will issue multiple HTTP requests. |
| 763 | 762 | @ Values below 1 million are not recommended. 5 million is a |
| 764 | 763 | @ reasonable number.</p> |
| 765 | 764 | |
| 765 | + @ <hr> | |
| 766 | + onoff_attribute("Show javascript button to fill in CAPTCHA", | |
| 767 | + "auto-captcha", "autocaptcha", 0); | |
| 768 | + @ <p>When enabled, a button appears on the login screen for user | |
| 769 | + @ "anonymous" that will automatically fill in the CAPTCHA password. | |
| 770 | + @ This is less secure that forcing the user to do it manually, but is | |
| 771 | + @ probably secure enough and it is certainly more convenient for | |
| 772 | + @ anonymous users.</p> | |
| 773 | + | |
| 766 | 774 | @ <hr> |
| 767 | 775 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 768 | 776 | @ </form> |
| 769 | 777 | db_end_transaction(0); |
| 770 | 778 | style_footer(); |
| 771 | 779 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -738,17 +738,16 @@ | |
| 738 | @ from the ~/.fossil database. Password login is always required |
| 739 | @ for incoming web connections on internet addresses other than |
| 740 | @ 127.0.0.1.</p></li> |
| 741 | |
| 742 | @ <hr> |
| 743 | onoff_attribute("Show javascript button to fill in CAPTCHA", |
| 744 | "auto-captcha", "autocaptcha", 0); |
| 745 | @ <p>When enabled, a button appears on the login screen for user |
| 746 | @ "anonymous" that will automatically fill in the CAPTCHA password. |
| 747 | @ This is less secure that forcing the user to do it manually, but is |
| 748 | @ probably secure enough and it is certainly more convenient for |
| 749 | @ anonymous users.</p> |
| 750 | |
| 751 | @ <hr> |
| 752 | entry_attribute("Login expiration time", 6, "cookie-expire", "cex", "8766"); |
| 753 | @ <p>The number of hours for which a login is valid. This must be a |
| 754 | @ positive number. The default is 8760 hours which is approximately equal |
| @@ -761,10 +760,19 @@ | |
| 761 | @ to this many bytes, uncompressed. If the client requires more data |
| 762 | @ than this, then the client will issue multiple HTTP requests. |
| 763 | @ Values below 1 million are not recommended. 5 million is a |
| 764 | @ reasonable number.</p> |
| 765 | |
| 766 | @ <hr> |
| 767 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 768 | @ </form> |
| 769 | db_end_transaction(0); |
| 770 | style_footer(); |
| 771 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -738,17 +738,16 @@ | |
| 738 | @ from the ~/.fossil database. Password login is always required |
| 739 | @ for incoming web connections on internet addresses other than |
| 740 | @ 127.0.0.1.</p></li> |
| 741 | |
| 742 | @ <hr> |
| 743 | onoff_attribute("Allow REMOTE_USER authentication", |
| 744 | "remote_user_ok", "remote_user_ok", 0); |
| 745 | @ <p>When enabled, if the REMOTE_USER environment variable is set to the |
| 746 | @ login name of a valid user and no other login credentials are available, |
| 747 | @ then the REMOTE_USER is accepted as an authenticated user. |
| 748 | @ </p></li> |
| 749 | |
| 750 | @ <hr> |
| 751 | entry_attribute("Login expiration time", 6, "cookie-expire", "cex", "8766"); |
| 752 | @ <p>The number of hours for which a login is valid. This must be a |
| 753 | @ positive number. The default is 8760 hours which is approximately equal |
| @@ -761,10 +760,19 @@ | |
| 760 | @ to this many bytes, uncompressed. If the client requires more data |
| 761 | @ than this, then the client will issue multiple HTTP requests. |
| 762 | @ Values below 1 million are not recommended. 5 million is a |
| 763 | @ reasonable number.</p> |
| 764 | |
| 765 | @ <hr> |
| 766 | onoff_attribute("Show javascript button to fill in CAPTCHA", |
| 767 | "auto-captcha", "autocaptcha", 0); |
| 768 | @ <p>When enabled, a button appears on the login screen for user |
| 769 | @ "anonymous" that will automatically fill in the CAPTCHA password. |
| 770 | @ This is less secure that forcing the user to do it manually, but is |
| 771 | @ probably secure enough and it is certainly more convenient for |
| 772 | @ anonymous users.</p> |
| 773 | |
| 774 | @ <hr> |
| 775 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 776 | @ </form> |
| 777 | db_end_transaction(0); |
| 778 | style_footer(); |
| 779 |