Fossil SCM
Identify security-sensitive settings.
Commit
aa4c3afc52f6a94f5d2f4da3468fbff9a3796f6aa5a712105252dd591785c87f
Parent
fb41384045cb639…
3 files changed
+5
-5
+17
-30
+3
+5
-5
| --- src/alerts.c | ||
| +++ src/alerts.c | ||
| @@ -936,11 +936,11 @@ | ||
| 936 | 936 | ** This is a short name used to identifies the repository in the Subject: |
| 937 | 937 | ** line of email alerts. Traditionally this name is included in square |
| 938 | 938 | ** brackets. Examples: "[fossil-src]", "[sqlite-src]". |
| 939 | 939 | */ |
| 940 | 940 | /* |
| 941 | -** SETTING: email-send-method width=5 default=off | |
| 941 | +** SETTING: email-send-method width=5 default=off sensitive | |
| 942 | 942 | ** Determine the method used to send email. Allowed values are |
| 943 | 943 | ** "off", "relay", "pipe", "dir", "db", and "stdout". The "off" value |
| 944 | 944 | ** means no email is ever sent. The "relay" value means emails are sent |
| 945 | 945 | ** to an Mail Sending Agent using SMTP located at email-send-relayhost. |
| 946 | 946 | ** The "pipe" value means email messages are piped into a command |
| @@ -949,33 +949,33 @@ | ||
| 949 | 949 | ** by the email-send-dir setting. The "db" value means that emails |
| 950 | 950 | ** are added to an SQLite database named by the* email-send-db setting. |
| 951 | 951 | ** The "stdout" value writes email text to standard output, for debugging. |
| 952 | 952 | */ |
| 953 | 953 | /* |
| 954 | -** SETTING: email-send-command width=40 | |
| 954 | +** SETTING: email-send-command width=40 sensitive | |
| 955 | 955 | ** This is a command to which outbound email content is piped when the |
| 956 | 956 | ** email-send-method is set to "pipe". The command must extract |
| 957 | 957 | ** recipient, sender, subject, and all other relevant information |
| 958 | 958 | ** from the email header. |
| 959 | 959 | */ |
| 960 | 960 | /* |
| 961 | -** SETTING: email-send-dir width=40 | |
| 961 | +** SETTING: email-send-dir width=40 sensitive | |
| 962 | 962 | ** This is a directory into which outbound emails are written as individual |
| 963 | 963 | ** files if the email-send-method is set to "dir". |
| 964 | 964 | */ |
| 965 | 965 | /* |
| 966 | -** SETTING: email-send-db width=40 | |
| 966 | +** SETTING: email-send-db width=40 sensitive | |
| 967 | 967 | ** This is an SQLite database file into which outbound emails are written |
| 968 | 968 | ** if the email-send-method is set to "db". |
| 969 | 969 | */ |
| 970 | 970 | /* |
| 971 | 971 | ** SETTING: email-self width=40 |
| 972 | 972 | ** This is the email address for the repository. Outbound emails add |
| 973 | 973 | ** this email address as the "From:" field. |
| 974 | 974 | */ |
| 975 | 975 | /* |
| 976 | -** SETTING: email-send-relayhost width=40 | |
| 976 | +** SETTING: email-send-relayhost width=40 sensitive | |
| 977 | 977 | ** This is the hostname and TCP port to which output email messages |
| 978 | 978 | ** are sent when email-send-method is "relay". There should be an |
| 979 | 979 | ** SMTP server configured as a Mail Submission Agent listening on the |
| 980 | 980 | ** designated host and port and all times. |
| 981 | 981 | */ |
| 982 | 982 |
| --- src/alerts.c | |
| +++ src/alerts.c | |
| @@ -936,11 +936,11 @@ | |
| 936 | ** This is a short name used to identifies the repository in the Subject: |
| 937 | ** line of email alerts. Traditionally this name is included in square |
| 938 | ** brackets. Examples: "[fossil-src]", "[sqlite-src]". |
| 939 | */ |
| 940 | /* |
| 941 | ** SETTING: email-send-method width=5 default=off |
| 942 | ** Determine the method used to send email. Allowed values are |
| 943 | ** "off", "relay", "pipe", "dir", "db", and "stdout". The "off" value |
| 944 | ** means no email is ever sent. The "relay" value means emails are sent |
| 945 | ** to an Mail Sending Agent using SMTP located at email-send-relayhost. |
| 946 | ** The "pipe" value means email messages are piped into a command |
| @@ -949,33 +949,33 @@ | |
| 949 | ** by the email-send-dir setting. The "db" value means that emails |
| 950 | ** are added to an SQLite database named by the* email-send-db setting. |
| 951 | ** The "stdout" value writes email text to standard output, for debugging. |
| 952 | */ |
| 953 | /* |
| 954 | ** SETTING: email-send-command width=40 |
| 955 | ** This is a command to which outbound email content is piped when the |
| 956 | ** email-send-method is set to "pipe". The command must extract |
| 957 | ** recipient, sender, subject, and all other relevant information |
| 958 | ** from the email header. |
| 959 | */ |
| 960 | /* |
| 961 | ** SETTING: email-send-dir width=40 |
| 962 | ** This is a directory into which outbound emails are written as individual |
| 963 | ** files if the email-send-method is set to "dir". |
| 964 | */ |
| 965 | /* |
| 966 | ** SETTING: email-send-db width=40 |
| 967 | ** This is an SQLite database file into which outbound emails are written |
| 968 | ** if the email-send-method is set to "db". |
| 969 | */ |
| 970 | /* |
| 971 | ** SETTING: email-self width=40 |
| 972 | ** This is the email address for the repository. Outbound emails add |
| 973 | ** this email address as the "From:" field. |
| 974 | */ |
| 975 | /* |
| 976 | ** SETTING: email-send-relayhost width=40 |
| 977 | ** This is the hostname and TCP port to which output email messages |
| 978 | ** are sent when email-send-method is "relay". There should be an |
| 979 | ** SMTP server configured as a Mail Submission Agent listening on the |
| 980 | ** designated host and port and all times. |
| 981 | */ |
| 982 |
| --- src/alerts.c | |
| +++ src/alerts.c | |
| @@ -936,11 +936,11 @@ | |
| 936 | ** This is a short name used to identifies the repository in the Subject: |
| 937 | ** line of email alerts. Traditionally this name is included in square |
| 938 | ** brackets. Examples: "[fossil-src]", "[sqlite-src]". |
| 939 | */ |
| 940 | /* |
| 941 | ** SETTING: email-send-method width=5 default=off sensitive |
| 942 | ** Determine the method used to send email. Allowed values are |
| 943 | ** "off", "relay", "pipe", "dir", "db", and "stdout". The "off" value |
| 944 | ** means no email is ever sent. The "relay" value means emails are sent |
| 945 | ** to an Mail Sending Agent using SMTP located at email-send-relayhost. |
| 946 | ** The "pipe" value means email messages are piped into a command |
| @@ -949,33 +949,33 @@ | |
| 949 | ** by the email-send-dir setting. The "db" value means that emails |
| 950 | ** are added to an SQLite database named by the* email-send-db setting. |
| 951 | ** The "stdout" value writes email text to standard output, for debugging. |
| 952 | */ |
| 953 | /* |
| 954 | ** SETTING: email-send-command width=40 sensitive |
| 955 | ** This is a command to which outbound email content is piped when the |
| 956 | ** email-send-method is set to "pipe". The command must extract |
| 957 | ** recipient, sender, subject, and all other relevant information |
| 958 | ** from the email header. |
| 959 | */ |
| 960 | /* |
| 961 | ** SETTING: email-send-dir width=40 sensitive |
| 962 | ** This is a directory into which outbound emails are written as individual |
| 963 | ** files if the email-send-method is set to "dir". |
| 964 | */ |
| 965 | /* |
| 966 | ** SETTING: email-send-db width=40 sensitive |
| 967 | ** This is an SQLite database file into which outbound emails are written |
| 968 | ** if the email-send-method is set to "db". |
| 969 | */ |
| 970 | /* |
| 971 | ** SETTING: email-self width=40 |
| 972 | ** This is the email address for the repository. Outbound emails add |
| 973 | ** this email address as the "From:" field. |
| 974 | */ |
| 975 | /* |
| 976 | ** SETTING: email-send-relayhost width=40 sensitive |
| 977 | ** This is the hostname and TCP port to which output email messages |
| 978 | ** are sent when email-send-method is "relay". There should be an |
| 979 | ** SMTP server configured as a Mail Submission Agent listening on the |
| 980 | ** designated host and port and all times. |
| 981 | */ |
| 982 |
M
src/db.c
+17
-30
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -3432,32 +3432,19 @@ | ||
| 3432 | 3432 | ** SETTING: admin-log boolean default=off |
| 3433 | 3433 | ** |
| 3434 | 3434 | ** When the admin-log setting is enabled, configuration changes are recorded |
| 3435 | 3435 | ** in the "admin_log" table of the repository. |
| 3436 | 3436 | */ |
| 3437 | -#if defined(_WIN32) | |
| 3438 | 3437 | /* |
| 3439 | -** SETTING: allow-symlinks boolean default=off versionable | |
| 3438 | +** SETTING: allow-symlinks boolean default=off sensitive | |
| 3440 | 3439 | ** |
| 3441 | 3440 | ** When allow-symlinks is OFF, symbolic links in the repository are followed |
| 3442 | 3441 | ** and treated no differently from real files. When allow-symlinks is ON, |
| 3443 | 3442 | ** the object to which the symbolic link points is ignored, and the content |
| 3444 | 3443 | ** of the symbolic link that is stored in the repository is the name of the |
| 3445 | 3444 | ** object to which the symbolic link points. |
| 3446 | 3445 | */ |
| 3447 | -#endif | |
| 3448 | -#if !defined(_WIN32) | |
| 3449 | -/* | |
| 3450 | -** SETTING: allow-symlinks boolean default=on versionable | |
| 3451 | -** | |
| 3452 | -** When allow-symlinks is OFF, symbolic links in the repository are followed | |
| 3453 | -** and treated no differently from real files. When allow-symlinks is ON, | |
| 3454 | -** the object to which the symbolic link points is ignored, and the content | |
| 3455 | -** of the symbolic link that is stored in the repository is the name of the | |
| 3456 | -** object to which the symbolic link points. | |
| 3457 | -*/ | |
| 3458 | -#endif | |
| 3459 | 3446 | /* |
| 3460 | 3447 | ** SETTING: auto-captcha boolean default=on variable=autocaptcha |
| 3461 | 3448 | ** If enabled, the /login page provides a button that will automatically |
| 3462 | 3449 | ** fill in the captcha password. This makes things easier for human users, |
| 3463 | 3450 | ** at the expense of also making logins easier for malicious robots. |
| @@ -3507,11 +3494,11 @@ | ||
| 3507 | 3494 | ** there is no cron job periodically running "fossil backoffice", |
| 3508 | 3495 | ** email notifications and other work normally done by the |
| 3509 | 3496 | ** backoffice will not occur. |
| 3510 | 3497 | */ |
| 3511 | 3498 | /* |
| 3512 | -** SETTING: backoffice-logfile width=40 | |
| 3499 | +** SETTING: backoffice-logfile width=40 sensitive | |
| 3513 | 3500 | ** If backoffice-logfile is not an empty string and is a valid |
| 3514 | 3501 | ** filename, then a one-line message is appended to that file |
| 3515 | 3502 | ** every time the backoffice runs. This can be used for debugging, |
| 3516 | 3503 | ** to ensure that backoffice is running appropriately. |
| 3517 | 3504 | */ |
| @@ -3584,11 +3571,11 @@ | ||
| 3584 | 3571 | /* |
| 3585 | 3572 | ** SETTING: crnl-glob width=40 versionable block-text |
| 3586 | 3573 | ** This is an alias for the crlf-glob setting. |
| 3587 | 3574 | */ |
| 3588 | 3575 | /* |
| 3589 | -** SETTING: default-perms width=16 default=u | |
| 3576 | +** SETTING: default-perms width=16 default=u sensitive | |
| 3590 | 3577 | ** Permissions given automatically to new users. For more |
| 3591 | 3578 | ** information on permissions see the Users page in Server |
| 3592 | 3579 | ** Administration of the HTTP UI. |
| 3593 | 3580 | */ |
| 3594 | 3581 | /* |
| @@ -3596,11 +3583,11 @@ | ||
| 3596 | 3583 | ** If enabled, permit files that may be binary |
| 3597 | 3584 | ** or that match the "binary-glob" setting to be used with |
| 3598 | 3585 | ** external diff programs. If disabled, skip these files. |
| 3599 | 3586 | */ |
| 3600 | 3587 | /* |
| 3601 | -** SETTING: diff-command width=40 | |
| 3588 | +** SETTING: diff-command width=40 sensitive | |
| 3602 | 3589 | ** The value is an external command to run when performing a diff. |
| 3603 | 3590 | ** If undefined, the internal text diff will be used. |
| 3604 | 3591 | */ |
| 3605 | 3592 | /* |
| 3606 | 3593 | ** SETTING: dont-push boolean default=off |
| @@ -3611,11 +3598,11 @@ | ||
| 3611 | 3598 | /* |
| 3612 | 3599 | ** SETTING: dotfiles boolean versionable default=off |
| 3613 | 3600 | ** If enabled, include --dotfiles option for all compatible commands. |
| 3614 | 3601 | */ |
| 3615 | 3602 | /* |
| 3616 | -** SETTING: editor width=32 | |
| 3603 | +** SETTING: editor width=32 sensitive | |
| 3617 | 3604 | ** The value is an external command that will launch the |
| 3618 | 3605 | ** text editor command used for check-in comments. |
| 3619 | 3606 | */ |
| 3620 | 3607 | /* |
| 3621 | 3608 | ** SETTING: empty-dirs width=40 versionable block-text |
| @@ -3654,16 +3641,16 @@ | ||
| 3654 | 3641 | ** An empty list prohibits editing via that page. Note that |
| 3655 | 3642 | ** it cannot edit binary files, so the list should not |
| 3656 | 3643 | ** contain any globs for, e.g., images or PDFs. |
| 3657 | 3644 | */ |
| 3658 | 3645 | /* |
| 3659 | -** SETTING: gdiff-command width=40 default=gdiff | |
| 3646 | +** SETTING: gdiff-command width=40 default=gdiff sensitive | |
| 3660 | 3647 | ** The value is an external command to run when performing a graphical |
| 3661 | 3648 | ** diff. If undefined, text diff will be used. |
| 3662 | 3649 | */ |
| 3663 | 3650 | /* |
| 3664 | -** SETTING: gmerge-command width=40 | |
| 3651 | +** SETTING: gmerge-command width=40 sensitive | |
| 3665 | 3652 | ** The value is a graphical merge conflict resolver command operating |
| 3666 | 3653 | ** on four files. Examples: |
| 3667 | 3654 | ** |
| 3668 | 3655 | ** kdiff3 "%baseline" "%original" "%merge" -o "%output" |
| 3669 | 3656 | ** xxdiff "%original" "%baseline" "%merge" -M "%output" |
| @@ -3794,11 +3781,11 @@ | ||
| 3794 | 3781 | ** the associated files within the checkout -AND- the "rm" |
| 3795 | 3782 | ** and "delete" commands will also remove the associated |
| 3796 | 3783 | ** files from within the checkout. |
| 3797 | 3784 | */ |
| 3798 | 3785 | /* |
| 3799 | -** SETTING: pgp-command width=40 | |
| 3786 | +** SETTING: pgp-command width=40 sensitive | |
| 3800 | 3787 | ** Command used to clear-sign manifests at check-in. |
| 3801 | 3788 | ** Default value is "gpg --clearsign -o" |
| 3802 | 3789 | */ |
| 3803 | 3790 | /* |
| 3804 | 3791 | ** SETTING: forbid-delta-manifests boolean default=off |
| @@ -3854,22 +3841,22 @@ | ||
| 3854 | 3841 | ** |
| 3855 | 3842 | ** If repolist-skin has a value of 2, then the repository is omitted from |
| 3856 | 3843 | ** the list in use cases 1 through 4, but not for 5 and 6. |
| 3857 | 3844 | */ |
| 3858 | 3845 | /* |
| 3859 | -** SETTING: self-register boolean default=off | |
| 3846 | +** SETTING: self-register boolean default=off sensitive | |
| 3860 | 3847 | ** Allow users to register themselves through the HTTP UI. |
| 3861 | 3848 | ** This is useful if you want to see other names than |
| 3862 | 3849 | ** "Anonymous" in e.g. ticketing system. On the other hand |
| 3863 | 3850 | ** users can not be deleted. |
| 3864 | 3851 | */ |
| 3865 | 3852 | /* |
| 3866 | -** SETTING: ssh-command width=40 | |
| 3853 | +** SETTING: ssh-command width=40 sensitive | |
| 3867 | 3854 | ** The command used to talk to a remote machine with the "ssh://" protocol. |
| 3868 | 3855 | */ |
| 3869 | 3856 | /* |
| 3870 | -** SETTING: ssl-ca-location width=40 | |
| 3857 | +** SETTING: ssl-ca-location width=40 sensitive | |
| 3871 | 3858 | ** The full pathname to a file containing PEM encoded |
| 3872 | 3859 | ** CA root certificates, or a directory of certificates |
| 3873 | 3860 | ** with filenames formed from the certificate hashes as |
| 3874 | 3861 | ** required by OpenSSL. |
| 3875 | 3862 | ** |
| @@ -3879,11 +3866,11 @@ | ||
| 3879 | 3866 | ** Checking your platform behaviour is required if the |
| 3880 | 3867 | ** exact contents of the CA root is critical for your |
| 3881 | 3868 | ** application. |
| 3882 | 3869 | */ |
| 3883 | 3870 | /* |
| 3884 | -** SETTING: ssl-identity width=40 | |
| 3871 | +** SETTING: ssl-identity width=40 sensitive | |
| 3885 | 3872 | ** The full pathname to a file containing a certificate |
| 3886 | 3873 | ** and private key in PEM format. Create by concatenating |
| 3887 | 3874 | ** the certificate and private key files. |
| 3888 | 3875 | ** |
| 3889 | 3876 | ** This identity will be presented to SSL servers to |
| @@ -3890,33 +3877,33 @@ | ||
| 3890 | 3877 | ** authenticate this client, in addition to the normal |
| 3891 | 3878 | ** password authentication. |
| 3892 | 3879 | */ |
| 3893 | 3880 | #ifdef FOSSIL_ENABLE_TCL |
| 3894 | 3881 | /* |
| 3895 | -** SETTING: tcl boolean default=off | |
| 3882 | +** SETTING: tcl boolean default=off sensitive | |
| 3896 | 3883 | ** If enabled Tcl integration commands will be added to the TH1 |
| 3897 | 3884 | ** interpreter, allowing arbitrary Tcl expressions and |
| 3898 | 3885 | ** scripts to be evaluated from TH1. Additionally, the Tcl |
| 3899 | 3886 | ** interpreter will be able to evaluate arbitrary TH1 |
| 3900 | 3887 | ** expressions and scripts. |
| 3901 | 3888 | */ |
| 3902 | 3889 | /* |
| 3903 | -** SETTING: tcl-setup width=40 block-text | |
| 3890 | +** SETTING: tcl-setup width=40 block-text sensitive | |
| 3904 | 3891 | ** This is the setup script to be evaluated after creating |
| 3905 | 3892 | ** and initializing the Tcl interpreter. By default, this |
| 3906 | 3893 | ** is empty and no extra setup is performed. |
| 3907 | 3894 | */ |
| 3908 | 3895 | #endif /* FOSSIL_ENABLE_TCL */ |
| 3909 | 3896 | /* |
| 3910 | -** SETTING: tclsh width=80 default=tclsh | |
| 3897 | +** SETTING: tclsh width=80 default=tclsh sensitive | |
| 3911 | 3898 | ** Name of the external TCL interpreter used for such things |
| 3912 | 3899 | ** as running the GUI diff viewer launched by the --tk option |
| 3913 | 3900 | ** of the various "diff" commands. |
| 3914 | 3901 | */ |
| 3915 | 3902 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 3916 | 3903 | /* |
| 3917 | -** SETTING: th1-docs boolean default=off | |
| 3904 | +** SETTING: th1-docs boolean default=off sensitive | |
| 3918 | 3905 | ** If enabled, this allows embedded documentation files to contain |
| 3919 | 3906 | ** arbitrary TH1 scripts that are evaluated on the server. If native |
| 3920 | 3907 | ** Tcl integration is also enabled, this setting has the |
| 3921 | 3908 | ** potential to allow anybody with check-in privileges to |
| 3922 | 3909 | ** do almost anything that the associated operating system |
| @@ -3969,11 +3956,11 @@ | ||
| 3969 | 3956 | ** of a "fossil clone" or "fossil sync" command. The |
| 3970 | 3957 | ** default is false, in which case the -u option is |
| 3971 | 3958 | ** needed to clone or sync unversioned files. |
| 3972 | 3959 | */ |
| 3973 | 3960 | /* |
| 3974 | -** SETTING: web-browser width=30 | |
| 3961 | +** SETTING: web-browser width=30 sensitive | |
| 3975 | 3962 | ** A shell command used to launch your preferred |
| 3976 | 3963 | ** web browser when given a URL as an argument. |
| 3977 | 3964 | ** Defaults to "start" on windows, "open" on Mac, |
| 3978 | 3965 | ** and "firefox" on Unix. |
| 3979 | 3966 | */ |
| 3980 | 3967 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -3432,32 +3432,19 @@ | |
| 3432 | ** SETTING: admin-log boolean default=off |
| 3433 | ** |
| 3434 | ** When the admin-log setting is enabled, configuration changes are recorded |
| 3435 | ** in the "admin_log" table of the repository. |
| 3436 | */ |
| 3437 | #if defined(_WIN32) |
| 3438 | /* |
| 3439 | ** SETTING: allow-symlinks boolean default=off versionable |
| 3440 | ** |
| 3441 | ** When allow-symlinks is OFF, symbolic links in the repository are followed |
| 3442 | ** and treated no differently from real files. When allow-symlinks is ON, |
| 3443 | ** the object to which the symbolic link points is ignored, and the content |
| 3444 | ** of the symbolic link that is stored in the repository is the name of the |
| 3445 | ** object to which the symbolic link points. |
| 3446 | */ |
| 3447 | #endif |
| 3448 | #if !defined(_WIN32) |
| 3449 | /* |
| 3450 | ** SETTING: allow-symlinks boolean default=on versionable |
| 3451 | ** |
| 3452 | ** When allow-symlinks is OFF, symbolic links in the repository are followed |
| 3453 | ** and treated no differently from real files. When allow-symlinks is ON, |
| 3454 | ** the object to which the symbolic link points is ignored, and the content |
| 3455 | ** of the symbolic link that is stored in the repository is the name of the |
| 3456 | ** object to which the symbolic link points. |
| 3457 | */ |
| 3458 | #endif |
| 3459 | /* |
| 3460 | ** SETTING: auto-captcha boolean default=on variable=autocaptcha |
| 3461 | ** If enabled, the /login page provides a button that will automatically |
| 3462 | ** fill in the captcha password. This makes things easier for human users, |
| 3463 | ** at the expense of also making logins easier for malicious robots. |
| @@ -3507,11 +3494,11 @@ | |
| 3507 | ** there is no cron job periodically running "fossil backoffice", |
| 3508 | ** email notifications and other work normally done by the |
| 3509 | ** backoffice will not occur. |
| 3510 | */ |
| 3511 | /* |
| 3512 | ** SETTING: backoffice-logfile width=40 |
| 3513 | ** If backoffice-logfile is not an empty string and is a valid |
| 3514 | ** filename, then a one-line message is appended to that file |
| 3515 | ** every time the backoffice runs. This can be used for debugging, |
| 3516 | ** to ensure that backoffice is running appropriately. |
| 3517 | */ |
| @@ -3584,11 +3571,11 @@ | |
| 3584 | /* |
| 3585 | ** SETTING: crnl-glob width=40 versionable block-text |
| 3586 | ** This is an alias for the crlf-glob setting. |
| 3587 | */ |
| 3588 | /* |
| 3589 | ** SETTING: default-perms width=16 default=u |
| 3590 | ** Permissions given automatically to new users. For more |
| 3591 | ** information on permissions see the Users page in Server |
| 3592 | ** Administration of the HTTP UI. |
| 3593 | */ |
| 3594 | /* |
| @@ -3596,11 +3583,11 @@ | |
| 3596 | ** If enabled, permit files that may be binary |
| 3597 | ** or that match the "binary-glob" setting to be used with |
| 3598 | ** external diff programs. If disabled, skip these files. |
| 3599 | */ |
| 3600 | /* |
| 3601 | ** SETTING: diff-command width=40 |
| 3602 | ** The value is an external command to run when performing a diff. |
| 3603 | ** If undefined, the internal text diff will be used. |
| 3604 | */ |
| 3605 | /* |
| 3606 | ** SETTING: dont-push boolean default=off |
| @@ -3611,11 +3598,11 @@ | |
| 3611 | /* |
| 3612 | ** SETTING: dotfiles boolean versionable default=off |
| 3613 | ** If enabled, include --dotfiles option for all compatible commands. |
| 3614 | */ |
| 3615 | /* |
| 3616 | ** SETTING: editor width=32 |
| 3617 | ** The value is an external command that will launch the |
| 3618 | ** text editor command used for check-in comments. |
| 3619 | */ |
| 3620 | /* |
| 3621 | ** SETTING: empty-dirs width=40 versionable block-text |
| @@ -3654,16 +3641,16 @@ | |
| 3654 | ** An empty list prohibits editing via that page. Note that |
| 3655 | ** it cannot edit binary files, so the list should not |
| 3656 | ** contain any globs for, e.g., images or PDFs. |
| 3657 | */ |
| 3658 | /* |
| 3659 | ** SETTING: gdiff-command width=40 default=gdiff |
| 3660 | ** The value is an external command to run when performing a graphical |
| 3661 | ** diff. If undefined, text diff will be used. |
| 3662 | */ |
| 3663 | /* |
| 3664 | ** SETTING: gmerge-command width=40 |
| 3665 | ** The value is a graphical merge conflict resolver command operating |
| 3666 | ** on four files. Examples: |
| 3667 | ** |
| 3668 | ** kdiff3 "%baseline" "%original" "%merge" -o "%output" |
| 3669 | ** xxdiff "%original" "%baseline" "%merge" -M "%output" |
| @@ -3794,11 +3781,11 @@ | |
| 3794 | ** the associated files within the checkout -AND- the "rm" |
| 3795 | ** and "delete" commands will also remove the associated |
| 3796 | ** files from within the checkout. |
| 3797 | */ |
| 3798 | /* |
| 3799 | ** SETTING: pgp-command width=40 |
| 3800 | ** Command used to clear-sign manifests at check-in. |
| 3801 | ** Default value is "gpg --clearsign -o" |
| 3802 | */ |
| 3803 | /* |
| 3804 | ** SETTING: forbid-delta-manifests boolean default=off |
| @@ -3854,22 +3841,22 @@ | |
| 3854 | ** |
| 3855 | ** If repolist-skin has a value of 2, then the repository is omitted from |
| 3856 | ** the list in use cases 1 through 4, but not for 5 and 6. |
| 3857 | */ |
| 3858 | /* |
| 3859 | ** SETTING: self-register boolean default=off |
| 3860 | ** Allow users to register themselves through the HTTP UI. |
| 3861 | ** This is useful if you want to see other names than |
| 3862 | ** "Anonymous" in e.g. ticketing system. On the other hand |
| 3863 | ** users can not be deleted. |
| 3864 | */ |
| 3865 | /* |
| 3866 | ** SETTING: ssh-command width=40 |
| 3867 | ** The command used to talk to a remote machine with the "ssh://" protocol. |
| 3868 | */ |
| 3869 | /* |
| 3870 | ** SETTING: ssl-ca-location width=40 |
| 3871 | ** The full pathname to a file containing PEM encoded |
| 3872 | ** CA root certificates, or a directory of certificates |
| 3873 | ** with filenames formed from the certificate hashes as |
| 3874 | ** required by OpenSSL. |
| 3875 | ** |
| @@ -3879,11 +3866,11 @@ | |
| 3879 | ** Checking your platform behaviour is required if the |
| 3880 | ** exact contents of the CA root is critical for your |
| 3881 | ** application. |
| 3882 | */ |
| 3883 | /* |
| 3884 | ** SETTING: ssl-identity width=40 |
| 3885 | ** The full pathname to a file containing a certificate |
| 3886 | ** and private key in PEM format. Create by concatenating |
| 3887 | ** the certificate and private key files. |
| 3888 | ** |
| 3889 | ** This identity will be presented to SSL servers to |
| @@ -3890,33 +3877,33 @@ | |
| 3890 | ** authenticate this client, in addition to the normal |
| 3891 | ** password authentication. |
| 3892 | */ |
| 3893 | #ifdef FOSSIL_ENABLE_TCL |
| 3894 | /* |
| 3895 | ** SETTING: tcl boolean default=off |
| 3896 | ** If enabled Tcl integration commands will be added to the TH1 |
| 3897 | ** interpreter, allowing arbitrary Tcl expressions and |
| 3898 | ** scripts to be evaluated from TH1. Additionally, the Tcl |
| 3899 | ** interpreter will be able to evaluate arbitrary TH1 |
| 3900 | ** expressions and scripts. |
| 3901 | */ |
| 3902 | /* |
| 3903 | ** SETTING: tcl-setup width=40 block-text |
| 3904 | ** This is the setup script to be evaluated after creating |
| 3905 | ** and initializing the Tcl interpreter. By default, this |
| 3906 | ** is empty and no extra setup is performed. |
| 3907 | */ |
| 3908 | #endif /* FOSSIL_ENABLE_TCL */ |
| 3909 | /* |
| 3910 | ** SETTING: tclsh width=80 default=tclsh |
| 3911 | ** Name of the external TCL interpreter used for such things |
| 3912 | ** as running the GUI diff viewer launched by the --tk option |
| 3913 | ** of the various "diff" commands. |
| 3914 | */ |
| 3915 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 3916 | /* |
| 3917 | ** SETTING: th1-docs boolean default=off |
| 3918 | ** If enabled, this allows embedded documentation files to contain |
| 3919 | ** arbitrary TH1 scripts that are evaluated on the server. If native |
| 3920 | ** Tcl integration is also enabled, this setting has the |
| 3921 | ** potential to allow anybody with check-in privileges to |
| 3922 | ** do almost anything that the associated operating system |
| @@ -3969,11 +3956,11 @@ | |
| 3969 | ** of a "fossil clone" or "fossil sync" command. The |
| 3970 | ** default is false, in which case the -u option is |
| 3971 | ** needed to clone or sync unversioned files. |
| 3972 | */ |
| 3973 | /* |
| 3974 | ** SETTING: web-browser width=30 |
| 3975 | ** A shell command used to launch your preferred |
| 3976 | ** web browser when given a URL as an argument. |
| 3977 | ** Defaults to "start" on windows, "open" on Mac, |
| 3978 | ** and "firefox" on Unix. |
| 3979 | */ |
| 3980 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -3432,32 +3432,19 @@ | |
| 3432 | ** SETTING: admin-log boolean default=off |
| 3433 | ** |
| 3434 | ** When the admin-log setting is enabled, configuration changes are recorded |
| 3435 | ** in the "admin_log" table of the repository. |
| 3436 | */ |
| 3437 | /* |
| 3438 | ** SETTING: allow-symlinks boolean default=off sensitive |
| 3439 | ** |
| 3440 | ** When allow-symlinks is OFF, symbolic links in the repository are followed |
| 3441 | ** and treated no differently from real files. When allow-symlinks is ON, |
| 3442 | ** the object to which the symbolic link points is ignored, and the content |
| 3443 | ** of the symbolic link that is stored in the repository is the name of the |
| 3444 | ** object to which the symbolic link points. |
| 3445 | */ |
| 3446 | /* |
| 3447 | ** SETTING: auto-captcha boolean default=on variable=autocaptcha |
| 3448 | ** If enabled, the /login page provides a button that will automatically |
| 3449 | ** fill in the captcha password. This makes things easier for human users, |
| 3450 | ** at the expense of also making logins easier for malicious robots. |
| @@ -3507,11 +3494,11 @@ | |
| 3494 | ** there is no cron job periodically running "fossil backoffice", |
| 3495 | ** email notifications and other work normally done by the |
| 3496 | ** backoffice will not occur. |
| 3497 | */ |
| 3498 | /* |
| 3499 | ** SETTING: backoffice-logfile width=40 sensitive |
| 3500 | ** If backoffice-logfile is not an empty string and is a valid |
| 3501 | ** filename, then a one-line message is appended to that file |
| 3502 | ** every time the backoffice runs. This can be used for debugging, |
| 3503 | ** to ensure that backoffice is running appropriately. |
| 3504 | */ |
| @@ -3584,11 +3571,11 @@ | |
| 3571 | /* |
| 3572 | ** SETTING: crnl-glob width=40 versionable block-text |
| 3573 | ** This is an alias for the crlf-glob setting. |
| 3574 | */ |
| 3575 | /* |
| 3576 | ** SETTING: default-perms width=16 default=u sensitive |
| 3577 | ** Permissions given automatically to new users. For more |
| 3578 | ** information on permissions see the Users page in Server |
| 3579 | ** Administration of the HTTP UI. |
| 3580 | */ |
| 3581 | /* |
| @@ -3596,11 +3583,11 @@ | |
| 3583 | ** If enabled, permit files that may be binary |
| 3584 | ** or that match the "binary-glob" setting to be used with |
| 3585 | ** external diff programs. If disabled, skip these files. |
| 3586 | */ |
| 3587 | /* |
| 3588 | ** SETTING: diff-command width=40 sensitive |
| 3589 | ** The value is an external command to run when performing a diff. |
| 3590 | ** If undefined, the internal text diff will be used. |
| 3591 | */ |
| 3592 | /* |
| 3593 | ** SETTING: dont-push boolean default=off |
| @@ -3611,11 +3598,11 @@ | |
| 3598 | /* |
| 3599 | ** SETTING: dotfiles boolean versionable default=off |
| 3600 | ** If enabled, include --dotfiles option for all compatible commands. |
| 3601 | */ |
| 3602 | /* |
| 3603 | ** SETTING: editor width=32 sensitive |
| 3604 | ** The value is an external command that will launch the |
| 3605 | ** text editor command used for check-in comments. |
| 3606 | */ |
| 3607 | /* |
| 3608 | ** SETTING: empty-dirs width=40 versionable block-text |
| @@ -3654,16 +3641,16 @@ | |
| 3641 | ** An empty list prohibits editing via that page. Note that |
| 3642 | ** it cannot edit binary files, so the list should not |
| 3643 | ** contain any globs for, e.g., images or PDFs. |
| 3644 | */ |
| 3645 | /* |
| 3646 | ** SETTING: gdiff-command width=40 default=gdiff sensitive |
| 3647 | ** The value is an external command to run when performing a graphical |
| 3648 | ** diff. If undefined, text diff will be used. |
| 3649 | */ |
| 3650 | /* |
| 3651 | ** SETTING: gmerge-command width=40 sensitive |
| 3652 | ** The value is a graphical merge conflict resolver command operating |
| 3653 | ** on four files. Examples: |
| 3654 | ** |
| 3655 | ** kdiff3 "%baseline" "%original" "%merge" -o "%output" |
| 3656 | ** xxdiff "%original" "%baseline" "%merge" -M "%output" |
| @@ -3794,11 +3781,11 @@ | |
| 3781 | ** the associated files within the checkout -AND- the "rm" |
| 3782 | ** and "delete" commands will also remove the associated |
| 3783 | ** files from within the checkout. |
| 3784 | */ |
| 3785 | /* |
| 3786 | ** SETTING: pgp-command width=40 sensitive |
| 3787 | ** Command used to clear-sign manifests at check-in. |
| 3788 | ** Default value is "gpg --clearsign -o" |
| 3789 | */ |
| 3790 | /* |
| 3791 | ** SETTING: forbid-delta-manifests boolean default=off |
| @@ -3854,22 +3841,22 @@ | |
| 3841 | ** |
| 3842 | ** If repolist-skin has a value of 2, then the repository is omitted from |
| 3843 | ** the list in use cases 1 through 4, but not for 5 and 6. |
| 3844 | */ |
| 3845 | /* |
| 3846 | ** SETTING: self-register boolean default=off sensitive |
| 3847 | ** Allow users to register themselves through the HTTP UI. |
| 3848 | ** This is useful if you want to see other names than |
| 3849 | ** "Anonymous" in e.g. ticketing system. On the other hand |
| 3850 | ** users can not be deleted. |
| 3851 | */ |
| 3852 | /* |
| 3853 | ** SETTING: ssh-command width=40 sensitive |
| 3854 | ** The command used to talk to a remote machine with the "ssh://" protocol. |
| 3855 | */ |
| 3856 | /* |
| 3857 | ** SETTING: ssl-ca-location width=40 sensitive |
| 3858 | ** The full pathname to a file containing PEM encoded |
| 3859 | ** CA root certificates, or a directory of certificates |
| 3860 | ** with filenames formed from the certificate hashes as |
| 3861 | ** required by OpenSSL. |
| 3862 | ** |
| @@ -3879,11 +3866,11 @@ | |
| 3866 | ** Checking your platform behaviour is required if the |
| 3867 | ** exact contents of the CA root is critical for your |
| 3868 | ** application. |
| 3869 | */ |
| 3870 | /* |
| 3871 | ** SETTING: ssl-identity width=40 sensitive |
| 3872 | ** The full pathname to a file containing a certificate |
| 3873 | ** and private key in PEM format. Create by concatenating |
| 3874 | ** the certificate and private key files. |
| 3875 | ** |
| 3876 | ** This identity will be presented to SSL servers to |
| @@ -3890,33 +3877,33 @@ | |
| 3877 | ** authenticate this client, in addition to the normal |
| 3878 | ** password authentication. |
| 3879 | */ |
| 3880 | #ifdef FOSSIL_ENABLE_TCL |
| 3881 | /* |
| 3882 | ** SETTING: tcl boolean default=off sensitive |
| 3883 | ** If enabled Tcl integration commands will be added to the TH1 |
| 3884 | ** interpreter, allowing arbitrary Tcl expressions and |
| 3885 | ** scripts to be evaluated from TH1. Additionally, the Tcl |
| 3886 | ** interpreter will be able to evaluate arbitrary TH1 |
| 3887 | ** expressions and scripts. |
| 3888 | */ |
| 3889 | /* |
| 3890 | ** SETTING: tcl-setup width=40 block-text sensitive |
| 3891 | ** This is the setup script to be evaluated after creating |
| 3892 | ** and initializing the Tcl interpreter. By default, this |
| 3893 | ** is empty and no extra setup is performed. |
| 3894 | */ |
| 3895 | #endif /* FOSSIL_ENABLE_TCL */ |
| 3896 | /* |
| 3897 | ** SETTING: tclsh width=80 default=tclsh sensitive |
| 3898 | ** Name of the external TCL interpreter used for such things |
| 3899 | ** as running the GUI diff viewer launched by the --tk option |
| 3900 | ** of the various "diff" commands. |
| 3901 | */ |
| 3902 | #ifdef FOSSIL_ENABLE_TH1_DOCS |
| 3903 | /* |
| 3904 | ** SETTING: th1-docs boolean default=off sensitive |
| 3905 | ** If enabled, this allows embedded documentation files to contain |
| 3906 | ** arbitrary TH1 scripts that are evaluated on the server. If native |
| 3907 | ** Tcl integration is also enabled, this setting has the |
| 3908 | ** potential to allow anybody with check-in privileges to |
| 3909 | ** do almost anything that the associated operating system |
| @@ -3969,11 +3956,11 @@ | |
| 3956 | ** of a "fossil clone" or "fossil sync" command. The |
| 3957 | ** default is false, in which case the -u option is |
| 3958 | ** needed to clone or sync unversioned files. |
| 3959 | */ |
| 3960 | /* |
| 3961 | ** SETTING: web-browser width=30 sensitive |
| 3962 | ** A shell command used to launch your preferred |
| 3963 | ** web browser when given a URL as an argument. |
| 3964 | ** Defaults to "start" on windows, "open" on Mac, |
| 3965 | ** and "firefox" on Unix. |
| 3966 | */ |
| 3967 |
+3
| --- src/mkindex.c | ||
| +++ src/mkindex.c | ||
| @@ -90,10 +90,11 @@ | ||
| 90 | 90 | #define CMDFLAG_SETTING 0x0020 /* A setting */ |
| 91 | 91 | #define CMDFLAG_VERSIONABLE 0x0040 /* A versionable setting */ |
| 92 | 92 | #define CMDFLAG_BLOCKTEXT 0x0080 /* Multi-line text setting */ |
| 93 | 93 | #define CMDFLAG_BOOLEAN 0x0100 /* A boolean setting */ |
| 94 | 94 | #define CMDFLAG_RAWCONTENT 0x0200 /* Do not interpret webpage content */ |
| 95 | +#define CMDFLAG_SENSITIVE 0x0400 /* Security-sensitive setting */ | |
| 95 | 96 | /**************************************************************************/ |
| 96 | 97 | |
| 97 | 98 | /* |
| 98 | 99 | ** Each entry looks like this: |
| 99 | 100 | */ |
| @@ -248,10 +249,12 @@ | ||
| 248 | 249 | }else if( j==10 && strncmp(&zLine[i], "block-text", j)==0 ){ |
| 249 | 250 | aEntry[nUsed].eType &= ~(CMDFLAG_BOOLEAN); |
| 250 | 251 | aEntry[nUsed].eType |= CMDFLAG_BLOCKTEXT; |
| 251 | 252 | }else if( j==11 && strncmp(&zLine[i], "versionable", j)==0 ){ |
| 252 | 253 | aEntry[nUsed].eType |= CMDFLAG_VERSIONABLE; |
| 254 | + }else if( j==9 && strncmp(&zLine[i], "sensitive", j)==0 ){ | |
| 255 | + aEntry[nUsed].eType |= CMDFLAG_SENSITIVE; | |
| 253 | 256 | }else if( j>6 && strncmp(&zLine[i], "width=", 6)==0 ){ |
| 254 | 257 | aEntry[nUsed].iWidth = atoi(&zLine[i+6]); |
| 255 | 258 | }else if( j>8 && strncmp(&zLine[i], "default=", 8)==0 ){ |
| 256 | 259 | aEntry[nUsed].zDflt = string_dup(&zLine[i+8], j-8); |
| 257 | 260 | }else if( j>9 && strncmp(&zLine[i], "variable=", 9)==0 ){ |
| 258 | 261 |
| --- src/mkindex.c | |
| +++ src/mkindex.c | |
| @@ -90,10 +90,11 @@ | |
| 90 | #define CMDFLAG_SETTING 0x0020 /* A setting */ |
| 91 | #define CMDFLAG_VERSIONABLE 0x0040 /* A versionable setting */ |
| 92 | #define CMDFLAG_BLOCKTEXT 0x0080 /* Multi-line text setting */ |
| 93 | #define CMDFLAG_BOOLEAN 0x0100 /* A boolean setting */ |
| 94 | #define CMDFLAG_RAWCONTENT 0x0200 /* Do not interpret webpage content */ |
| 95 | /**************************************************************************/ |
| 96 | |
| 97 | /* |
| 98 | ** Each entry looks like this: |
| 99 | */ |
| @@ -248,10 +249,12 @@ | |
| 248 | }else if( j==10 && strncmp(&zLine[i], "block-text", j)==0 ){ |
| 249 | aEntry[nUsed].eType &= ~(CMDFLAG_BOOLEAN); |
| 250 | aEntry[nUsed].eType |= CMDFLAG_BLOCKTEXT; |
| 251 | }else if( j==11 && strncmp(&zLine[i], "versionable", j)==0 ){ |
| 252 | aEntry[nUsed].eType |= CMDFLAG_VERSIONABLE; |
| 253 | }else if( j>6 && strncmp(&zLine[i], "width=", 6)==0 ){ |
| 254 | aEntry[nUsed].iWidth = atoi(&zLine[i+6]); |
| 255 | }else if( j>8 && strncmp(&zLine[i], "default=", 8)==0 ){ |
| 256 | aEntry[nUsed].zDflt = string_dup(&zLine[i+8], j-8); |
| 257 | }else if( j>9 && strncmp(&zLine[i], "variable=", 9)==0 ){ |
| 258 |
| --- src/mkindex.c | |
| +++ src/mkindex.c | |
| @@ -90,10 +90,11 @@ | |
| 90 | #define CMDFLAG_SETTING 0x0020 /* A setting */ |
| 91 | #define CMDFLAG_VERSIONABLE 0x0040 /* A versionable setting */ |
| 92 | #define CMDFLAG_BLOCKTEXT 0x0080 /* Multi-line text setting */ |
| 93 | #define CMDFLAG_BOOLEAN 0x0100 /* A boolean setting */ |
| 94 | #define CMDFLAG_RAWCONTENT 0x0200 /* Do not interpret webpage content */ |
| 95 | #define CMDFLAG_SENSITIVE 0x0400 /* Security-sensitive setting */ |
| 96 | /**************************************************************************/ |
| 97 | |
| 98 | /* |
| 99 | ** Each entry looks like this: |
| 100 | */ |
| @@ -248,10 +249,12 @@ | |
| 249 | }else if( j==10 && strncmp(&zLine[i], "block-text", j)==0 ){ |
| 250 | aEntry[nUsed].eType &= ~(CMDFLAG_BOOLEAN); |
| 251 | aEntry[nUsed].eType |= CMDFLAG_BLOCKTEXT; |
| 252 | }else if( j==11 && strncmp(&zLine[i], "versionable", j)==0 ){ |
| 253 | aEntry[nUsed].eType |= CMDFLAG_VERSIONABLE; |
| 254 | }else if( j==9 && strncmp(&zLine[i], "sensitive", j)==0 ){ |
| 255 | aEntry[nUsed].eType |= CMDFLAG_SENSITIVE; |
| 256 | }else if( j>6 && strncmp(&zLine[i], "width=", 6)==0 ){ |
| 257 | aEntry[nUsed].iWidth = atoi(&zLine[i+6]); |
| 258 | }else if( j>8 && strncmp(&zLine[i], "default=", 8)==0 ){ |
| 259 | aEntry[nUsed].zDflt = string_dup(&zLine[i+8], j-8); |
| 260 | }else if( j>9 && strncmp(&zLine[i], "variable=", 9)==0 ){ |
| 261 |