Fossil SCM
Make it harder to misconfigure the user accounts in a way that might give people greater access than intended.
Commit
bbb8ae7ebf745fa28b7a280e70bc60e2c2670cab
Parent
aa5735473649506…
3 files changed
+1
-1
+6
-2
+1
M
src/db.c
+1
-1
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -932,11 +932,11 @@ | ||
| 932 | 932 | "VALUES(%Q,lower(hex(randomblob(3))),'s','')", zUser |
| 933 | 933 | ); |
| 934 | 934 | if( !setupUserOnly ){ |
| 935 | 935 | db_multi_exec( |
| 936 | 936 | "INSERT INTO user(login,pw,cap,info)" |
| 937 | - " VALUES('anonymous','anonymous','ghmncz','Anon');" | |
| 937 | + " VALUES('anonymous',hex(randomblob(8)),'ghmncz','Anon');" | |
| 938 | 938 | "INSERT INTO user(login,pw,cap,info)" |
| 939 | 939 | " VALUES('nobody','','jor','Nobody');" |
| 940 | 940 | "INSERT INTO user(login,pw,cap,info)" |
| 941 | 941 | " VALUES('developer','','dei','Dev');" |
| 942 | 942 | "INSERT INTO user(login,pw,cap,info)" |
| 943 | 943 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -932,11 +932,11 @@ | |
| 932 | "VALUES(%Q,lower(hex(randomblob(3))),'s','')", zUser |
| 933 | ); |
| 934 | if( !setupUserOnly ){ |
| 935 | db_multi_exec( |
| 936 | "INSERT INTO user(login,pw,cap,info)" |
| 937 | " VALUES('anonymous','anonymous','ghmncz','Anon');" |
| 938 | "INSERT INTO user(login,pw,cap,info)" |
| 939 | " VALUES('nobody','','jor','Nobody');" |
| 940 | "INSERT INTO user(login,pw,cap,info)" |
| 941 | " VALUES('developer','','dei','Dev');" |
| 942 | "INSERT INTO user(login,pw,cap,info)" |
| 943 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -932,11 +932,11 @@ | |
| 932 | "VALUES(%Q,lower(hex(randomblob(3))),'s','')", zUser |
| 933 | ); |
| 934 | if( !setupUserOnly ){ |
| 935 | db_multi_exec( |
| 936 | "INSERT INTO user(login,pw,cap,info)" |
| 937 | " VALUES('anonymous',hex(randomblob(8)),'ghmncz','Anon');" |
| 938 | "INSERT INTO user(login,pw,cap,info)" |
| 939 | " VALUES('nobody','','jor','Nobody');" |
| 940 | "INSERT INTO user(login,pw,cap,info)" |
| 941 | " VALUES('developer','','dei','Dev');" |
| 942 | "INSERT INTO user(login,pw,cap,info)" |
| 943 |
+6
-2
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -179,12 +179,16 @@ | ||
| 179 | 179 | redirect_to_g(); |
| 180 | 180 | } |
| 181 | 181 | if( zUsername!=0 && zPasswd!=0 && zPasswd[0]!=0 ){ |
| 182 | 182 | uid = db_int(0, |
| 183 | 183 | "SELECT uid FROM user" |
| 184 | - " WHERE login=%Q AND pw=%Q", zUsername, zPasswd); | |
| 185 | - if( uid<=0 || strcmp(zUsername,"nobody")==0 ){ | |
| 184 | + " WHERE login=%Q" | |
| 185 | + " AND login NOT IN ('anonymous','nobody','developer','reader')" | |
| 186 | + " AND pw=%Q", | |
| 187 | + zUsername, zPasswd | |
| 188 | + ); | |
| 189 | + if( uid<=0 ){ | |
| 186 | 190 | sleep(1); |
| 187 | 191 | zErrMsg = |
| 188 | 192 | @ <p><font color="red"> |
| 189 | 193 | @ You entered an unknown user or an incorrect password. |
| 190 | 194 | @ </font></p> |
| 191 | 195 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -179,12 +179,16 @@ | |
| 179 | redirect_to_g(); |
| 180 | } |
| 181 | if( zUsername!=0 && zPasswd!=0 && zPasswd[0]!=0 ){ |
| 182 | uid = db_int(0, |
| 183 | "SELECT uid FROM user" |
| 184 | " WHERE login=%Q AND pw=%Q", zUsername, zPasswd); |
| 185 | if( uid<=0 || strcmp(zUsername,"nobody")==0 ){ |
| 186 | sleep(1); |
| 187 | zErrMsg = |
| 188 | @ <p><font color="red"> |
| 189 | @ You entered an unknown user or an incorrect password. |
| 190 | @ </font></p> |
| 191 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -179,12 +179,16 @@ | |
| 179 | redirect_to_g(); |
| 180 | } |
| 181 | if( zUsername!=0 && zPasswd!=0 && zPasswd[0]!=0 ){ |
| 182 | uid = db_int(0, |
| 183 | "SELECT uid FROM user" |
| 184 | " WHERE login=%Q" |
| 185 | " AND login NOT IN ('anonymous','nobody','developer','reader')" |
| 186 | " AND pw=%Q", |
| 187 | zUsername, zPasswd |
| 188 | ); |
| 189 | if( uid<=0 ){ |
| 190 | sleep(1); |
| 191 | zErrMsg = |
| 192 | @ <p><font color="red"> |
| 193 | @ You entered an unknown user or an incorrect password. |
| 194 | @ </font></p> |
| 195 |
+1
| --- src/xfer.c | ||
| +++ src/xfer.c | ||
| @@ -387,10 +387,11 @@ | ||
| 387 | 387 | int rc = -1; |
| 388 | 388 | |
| 389 | 389 | db_prepare(&q, |
| 390 | 390 | "SELECT pw, cap, uid FROM user" |
| 391 | 391 | " WHERE login=%B" |
| 392 | + " AND login NOT IN ('anonymous','nobody','developer','reader')" | |
| 392 | 393 | " AND length(pw)>0", |
| 393 | 394 | pLogin |
| 394 | 395 | ); |
| 395 | 396 | if( db_step(&q)==SQLITE_ROW ){ |
| 396 | 397 | Blob pw, combined, hash; |
| 397 | 398 |
| --- src/xfer.c | |
| +++ src/xfer.c | |
| @@ -387,10 +387,11 @@ | |
| 387 | int rc = -1; |
| 388 | |
| 389 | db_prepare(&q, |
| 390 | "SELECT pw, cap, uid FROM user" |
| 391 | " WHERE login=%B" |
| 392 | " AND length(pw)>0", |
| 393 | pLogin |
| 394 | ); |
| 395 | if( db_step(&q)==SQLITE_ROW ){ |
| 396 | Blob pw, combined, hash; |
| 397 |
| --- src/xfer.c | |
| +++ src/xfer.c | |
| @@ -387,10 +387,11 @@ | |
| 387 | int rc = -1; |
| 388 | |
| 389 | db_prepare(&q, |
| 390 | "SELECT pw, cap, uid FROM user" |
| 391 | " WHERE login=%B" |
| 392 | " AND login NOT IN ('anonymous','nobody','developer','reader')" |
| 393 | " AND length(pw)>0", |
| 394 | pLogin |
| 395 | ); |
| 396 | if( db_step(&q)==SQLITE_ROW ){ |
| 397 | Blob pw, combined, hash; |
| 398 |