Fossil SCM
Add the https-login setting which forces a switch to HTTPS for any non-anonymous login.
Commit
be0e8041307397bc30ebc5aa4f6391cd21b7418d
Parent
04ddad7ab8e5c8b…
4 files changed
+4
+16
-2
+6
+1
-1
M
src/db.c
+4
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -1636,10 +1636,11 @@ | ||
| 1636 | 1636 | { "diff-command", 0, 16, "" }, |
| 1637 | 1637 | { "dont-push", 0, 0, "off" }, |
| 1638 | 1638 | { "editor", 0, 16, "" }, |
| 1639 | 1639 | { "gdiff-command", 0, 16, "gdiff" }, |
| 1640 | 1640 | { "gmerge-command",0, 40, "" }, |
| 1641 | + { "https-login", 0, 0, "off" }, | |
| 1641 | 1642 | { "ignore-glob", 0, 40, "" }, |
| 1642 | 1643 | { "http-port", 0, 16, "8080" }, |
| 1643 | 1644 | { "localauth", 0, 0, "off" }, |
| 1644 | 1645 | { "main-branch", 0, 40, "trunk" }, |
| 1645 | 1646 | { "manifest", 0, 0, "off" }, |
| @@ -1714,10 +1715,13 @@ | ||
| 1714 | 1715 | ** Ex: xxdiff "%original" "%baseline" "%merge" -M "%output" |
| 1715 | 1716 | ** Ex: meld "%baseline" "%original" "%merge" "%output" |
| 1716 | 1717 | ** |
| 1717 | 1718 | ** http-port The TCP/IP port number to use by the "server" |
| 1718 | 1719 | ** and "ui" commands. Default: 8080 |
| 1720 | +** | |
| 1721 | +** https-login Send login creditials using HTTPS instead of HTTP | |
| 1722 | +** even if the login page request came via HTTP. | |
| 1719 | 1723 | ** |
| 1720 | 1724 | ** ignore-glob The VALUE is a comma-separated list of GLOB patterns |
| 1721 | 1725 | ** specifying files that the "extra" command will ignore. |
| 1722 | 1726 | ** Example: *.o,*.obj,*.exe |
| 1723 | 1727 | ** |
| 1724 | 1728 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1636,10 +1636,11 @@ | |
| 1636 | { "diff-command", 0, 16, "" }, |
| 1637 | { "dont-push", 0, 0, "off" }, |
| 1638 | { "editor", 0, 16, "" }, |
| 1639 | { "gdiff-command", 0, 16, "gdiff" }, |
| 1640 | { "gmerge-command",0, 40, "" }, |
| 1641 | { "ignore-glob", 0, 40, "" }, |
| 1642 | { "http-port", 0, 16, "8080" }, |
| 1643 | { "localauth", 0, 0, "off" }, |
| 1644 | { "main-branch", 0, 40, "trunk" }, |
| 1645 | { "manifest", 0, 0, "off" }, |
| @@ -1714,10 +1715,13 @@ | |
| 1714 | ** Ex: xxdiff "%original" "%baseline" "%merge" -M "%output" |
| 1715 | ** Ex: meld "%baseline" "%original" "%merge" "%output" |
| 1716 | ** |
| 1717 | ** http-port The TCP/IP port number to use by the "server" |
| 1718 | ** and "ui" commands. Default: 8080 |
| 1719 | ** |
| 1720 | ** ignore-glob The VALUE is a comma-separated list of GLOB patterns |
| 1721 | ** specifying files that the "extra" command will ignore. |
| 1722 | ** Example: *.o,*.obj,*.exe |
| 1723 | ** |
| 1724 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1636,10 +1636,11 @@ | |
| 1636 | { "diff-command", 0, 16, "" }, |
| 1637 | { "dont-push", 0, 0, "off" }, |
| 1638 | { "editor", 0, 16, "" }, |
| 1639 | { "gdiff-command", 0, 16, "gdiff" }, |
| 1640 | { "gmerge-command",0, 40, "" }, |
| 1641 | { "https-login", 0, 0, "off" }, |
| 1642 | { "ignore-glob", 0, 40, "" }, |
| 1643 | { "http-port", 0, 16, "8080" }, |
| 1644 | { "localauth", 0, 0, "off" }, |
| 1645 | { "main-branch", 0, 40, "trunk" }, |
| 1646 | { "manifest", 0, 0, "off" }, |
| @@ -1714,10 +1715,13 @@ | |
| 1715 | ** Ex: xxdiff "%original" "%baseline" "%merge" -M "%output" |
| 1716 | ** Ex: meld "%baseline" "%original" "%merge" "%output" |
| 1717 | ** |
| 1718 | ** http-port The TCP/IP port number to use by the "server" |
| 1719 | ** and "ui" commands. Default: 8080 |
| 1720 | ** |
| 1721 | ** https-login Send login creditials using HTTPS instead of HTTP |
| 1722 | ** even if the login page request came via HTTP. |
| 1723 | ** |
| 1724 | ** ignore-glob The VALUE is a comma-separated list of GLOB patterns |
| 1725 | ** specifying files that the "extra" command will ignore. |
| 1726 | ** Example: *.o,*.obj,*.exe |
| 1727 | ** |
| 1728 |
+16
-2
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -286,14 +286,28 @@ | ||
| 286 | 286 | " WHERE login='anonymous'" |
| 287 | 287 | " AND cap!=''"); |
| 288 | 288 | } |
| 289 | 289 | @ <tr> |
| 290 | 290 | @ <td></td> |
| 291 | - @ <td><input type="submit" name="in" value="Login" /></td> | |
| 291 | + @ <td><input type="submit" name="in" value="Login" | |
| 292 | + @ onClick="chngAction(this.form)" /></td> | |
| 292 | 293 | @ </tr> |
| 293 | 294 | @ </table> |
| 294 | - @ <script type="text/JavaScript">document.getElementById('u').focus()</script> | |
| 295 | + @ <script type="text/JavaScript"> | |
| 296 | + @ document.getElementById('u').focus() | |
| 297 | + @ function chngAction(form){ | |
| 298 | + if( g.sslNotAvailable==0 | |
| 299 | + && memcmp(g.zBaseURL,"https:",6)!=0 | |
| 300 | + && db_get_boolean("https-login",0) | |
| 301 | + ){ | |
| 302 | + char *zSSL = mprintf("https:%s", &g.zBaseURL[5]); | |
| 303 | + @ if( form.u.value!="anonymous" ){ | |
| 304 | + @ form.action = "%h(zSSL)/login"; | |
| 305 | + @ } | |
| 306 | + } | |
| 307 | + @ } | |
| 308 | + @ </script> | |
| 295 | 309 | if( g.zLogin==0 ){ |
| 296 | 310 | @ <p>Enter |
| 297 | 311 | }else{ |
| 298 | 312 | @ <p>You are currently logged in as <b>%h(g.zLogin)</b></p> |
| 299 | 313 | @ <p>To change your login to a different user, enter |
| 300 | 314 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -286,14 +286,28 @@ | |
| 286 | " WHERE login='anonymous'" |
| 287 | " AND cap!=''"); |
| 288 | } |
| 289 | @ <tr> |
| 290 | @ <td></td> |
| 291 | @ <td><input type="submit" name="in" value="Login" /></td> |
| 292 | @ </tr> |
| 293 | @ </table> |
| 294 | @ <script type="text/JavaScript">document.getElementById('u').focus()</script> |
| 295 | if( g.zLogin==0 ){ |
| 296 | @ <p>Enter |
| 297 | }else{ |
| 298 | @ <p>You are currently logged in as <b>%h(g.zLogin)</b></p> |
| 299 | @ <p>To change your login to a different user, enter |
| 300 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -286,14 +286,28 @@ | |
| 286 | " WHERE login='anonymous'" |
| 287 | " AND cap!=''"); |
| 288 | } |
| 289 | @ <tr> |
| 290 | @ <td></td> |
| 291 | @ <td><input type="submit" name="in" value="Login" |
| 292 | @ onClick="chngAction(this.form)" /></td> |
| 293 | @ </tr> |
| 294 | @ </table> |
| 295 | @ <script type="text/JavaScript"> |
| 296 | @ document.getElementById('u').focus() |
| 297 | @ function chngAction(form){ |
| 298 | if( g.sslNotAvailable==0 |
| 299 | && memcmp(g.zBaseURL,"https:",6)!=0 |
| 300 | && db_get_boolean("https-login",0) |
| 301 | ){ |
| 302 | char *zSSL = mprintf("https:%s", &g.zBaseURL[5]); |
| 303 | @ if( form.u.value!="anonymous" ){ |
| 304 | @ form.action = "%h(zSSL)/login"; |
| 305 | @ } |
| 306 | } |
| 307 | @ } |
| 308 | @ </script> |
| 309 | if( g.zLogin==0 ){ |
| 310 | @ <p>Enter |
| 311 | }else{ |
| 312 | @ <p>You are currently logged in as <b>%h(g.zLogin)</b></p> |
| 313 | @ <p>To change your login to a different user, enter |
| 314 |
+6
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -73,10 +73,11 @@ | ||
| 73 | 73 | char *zBaseURL; /* Full text of the URL being served */ |
| 74 | 74 | char *zTop; /* Parent directory of zPath */ |
| 75 | 75 | const char *zContentType; /* The content type of the input HTTP request */ |
| 76 | 76 | int iErrPriority; /* Priority of current error message */ |
| 77 | 77 | char *zErrMsg; /* Text of an error message */ |
| 78 | + int sslNotAvailable; /* SSL is not available. Do not redirect to https: */ | |
| 78 | 79 | Blob cgiIn; /* Input to an xfer www method */ |
| 79 | 80 | int cgiOutput; /* Write error and status messages to CGI */ |
| 80 | 81 | int xferPanic; /* Write error messages in XFER protocol */ |
| 81 | 82 | int fullHttpReply; /* True for full HTTP reply. False for CGI reply */ |
| 82 | 83 | Th_Interp *interp; /* The TH1 interpreter */ |
| @@ -1146,17 +1147,21 @@ | ||
| 1146 | 1147 | ** Other options: |
| 1147 | 1148 | ** |
| 1148 | 1149 | ** --localauth Password signin is not required if this is true and |
| 1149 | 1150 | ** the input comes from 127.0.0.1 and the "localauth" |
| 1150 | 1151 | ** setting is not disabled. |
| 1152 | +** | |
| 1153 | +** --nossl SSL connections are not available so do not | |
| 1154 | +** redirect from http: to https:. | |
| 1151 | 1155 | */ |
| 1152 | 1156 | void cmd_http(void){ |
| 1153 | 1157 | const char *zIpAddr; |
| 1154 | 1158 | const char *zNotFound; |
| 1155 | 1159 | const char *zHost; |
| 1156 | 1160 | zNotFound = find_option("notfound", 0, 1); |
| 1157 | 1161 | g.useLocalauth = find_option("localauth", 0, 0)!=0; |
| 1162 | + g.sslNotAvailable = find_option("nossl", 0, 0)!=0; | |
| 1158 | 1163 | if( find_option("https",0,0)!=0 ) cgi_replace_parameter("HTTPS","on"); |
| 1159 | 1164 | zHost = find_option("host", 0, 1); |
| 1160 | 1165 | if( zHost ) cgi_replace_parameter("HTTP_HOST",zHost); |
| 1161 | 1166 | g.cgiOutput = 1; |
| 1162 | 1167 | if( g.argc!=2 && g.argc!=3 && g.argc!=6 ){ |
| @@ -1305,10 +1310,11 @@ | ||
| 1305 | 1310 | } |
| 1306 | 1311 | db_close(1); |
| 1307 | 1312 | if( cgi_http_server(iPort, mxPort, zBrowserCmd, flags) ){ |
| 1308 | 1313 | fossil_fatal("unable to listen on TCP socket %d", iPort); |
| 1309 | 1314 | } |
| 1315 | + g.sslNotAvailable = 1; | |
| 1310 | 1316 | g.httpIn = stdin; |
| 1311 | 1317 | g.httpOut = stdout; |
| 1312 | 1318 | if( g.fHttpTrace || g.fSqlTrace ){ |
| 1313 | 1319 | fprintf(stderr, "====== SERVER pid %d =======\n", getpid()); |
| 1314 | 1320 | } |
| 1315 | 1321 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -73,10 +73,11 @@ | |
| 73 | char *zBaseURL; /* Full text of the URL being served */ |
| 74 | char *zTop; /* Parent directory of zPath */ |
| 75 | const char *zContentType; /* The content type of the input HTTP request */ |
| 76 | int iErrPriority; /* Priority of current error message */ |
| 77 | char *zErrMsg; /* Text of an error message */ |
| 78 | Blob cgiIn; /* Input to an xfer www method */ |
| 79 | int cgiOutput; /* Write error and status messages to CGI */ |
| 80 | int xferPanic; /* Write error messages in XFER protocol */ |
| 81 | int fullHttpReply; /* True for full HTTP reply. False for CGI reply */ |
| 82 | Th_Interp *interp; /* The TH1 interpreter */ |
| @@ -1146,17 +1147,21 @@ | |
| 1146 | ** Other options: |
| 1147 | ** |
| 1148 | ** --localauth Password signin is not required if this is true and |
| 1149 | ** the input comes from 127.0.0.1 and the "localauth" |
| 1150 | ** setting is not disabled. |
| 1151 | */ |
| 1152 | void cmd_http(void){ |
| 1153 | const char *zIpAddr; |
| 1154 | const char *zNotFound; |
| 1155 | const char *zHost; |
| 1156 | zNotFound = find_option("notfound", 0, 1); |
| 1157 | g.useLocalauth = find_option("localauth", 0, 0)!=0; |
| 1158 | if( find_option("https",0,0)!=0 ) cgi_replace_parameter("HTTPS","on"); |
| 1159 | zHost = find_option("host", 0, 1); |
| 1160 | if( zHost ) cgi_replace_parameter("HTTP_HOST",zHost); |
| 1161 | g.cgiOutput = 1; |
| 1162 | if( g.argc!=2 && g.argc!=3 && g.argc!=6 ){ |
| @@ -1305,10 +1310,11 @@ | |
| 1305 | } |
| 1306 | db_close(1); |
| 1307 | if( cgi_http_server(iPort, mxPort, zBrowserCmd, flags) ){ |
| 1308 | fossil_fatal("unable to listen on TCP socket %d", iPort); |
| 1309 | } |
| 1310 | g.httpIn = stdin; |
| 1311 | g.httpOut = stdout; |
| 1312 | if( g.fHttpTrace || g.fSqlTrace ){ |
| 1313 | fprintf(stderr, "====== SERVER pid %d =======\n", getpid()); |
| 1314 | } |
| 1315 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -73,10 +73,11 @@ | |
| 73 | char *zBaseURL; /* Full text of the URL being served */ |
| 74 | char *zTop; /* Parent directory of zPath */ |
| 75 | const char *zContentType; /* The content type of the input HTTP request */ |
| 76 | int iErrPriority; /* Priority of current error message */ |
| 77 | char *zErrMsg; /* Text of an error message */ |
| 78 | int sslNotAvailable; /* SSL is not available. Do not redirect to https: */ |
| 79 | Blob cgiIn; /* Input to an xfer www method */ |
| 80 | int cgiOutput; /* Write error and status messages to CGI */ |
| 81 | int xferPanic; /* Write error messages in XFER protocol */ |
| 82 | int fullHttpReply; /* True for full HTTP reply. False for CGI reply */ |
| 83 | Th_Interp *interp; /* The TH1 interpreter */ |
| @@ -1146,17 +1147,21 @@ | |
| 1147 | ** Other options: |
| 1148 | ** |
| 1149 | ** --localauth Password signin is not required if this is true and |
| 1150 | ** the input comes from 127.0.0.1 and the "localauth" |
| 1151 | ** setting is not disabled. |
| 1152 | ** |
| 1153 | ** --nossl SSL connections are not available so do not |
| 1154 | ** redirect from http: to https:. |
| 1155 | */ |
| 1156 | void cmd_http(void){ |
| 1157 | const char *zIpAddr; |
| 1158 | const char *zNotFound; |
| 1159 | const char *zHost; |
| 1160 | zNotFound = find_option("notfound", 0, 1); |
| 1161 | g.useLocalauth = find_option("localauth", 0, 0)!=0; |
| 1162 | g.sslNotAvailable = find_option("nossl", 0, 0)!=0; |
| 1163 | if( find_option("https",0,0)!=0 ) cgi_replace_parameter("HTTPS","on"); |
| 1164 | zHost = find_option("host", 0, 1); |
| 1165 | if( zHost ) cgi_replace_parameter("HTTP_HOST",zHost); |
| 1166 | g.cgiOutput = 1; |
| 1167 | if( g.argc!=2 && g.argc!=3 && g.argc!=6 ){ |
| @@ -1305,10 +1310,11 @@ | |
| 1310 | } |
| 1311 | db_close(1); |
| 1312 | if( cgi_http_server(iPort, mxPort, zBrowserCmd, flags) ){ |
| 1313 | fossil_fatal("unable to listen on TCP socket %d", iPort); |
| 1314 | } |
| 1315 | g.sslNotAvailable = 1; |
| 1316 | g.httpIn = stdin; |
| 1317 | g.httpOut = stdout; |
| 1318 | if( g.fHttpTrace || g.fSqlTrace ){ |
| 1319 | fprintf(stderr, "====== SERVER pid %d =======\n", getpid()); |
| 1320 | } |
| 1321 |
+1
-1
| --- src/winhttp.c | ||
| +++ src/winhttp.c | ||
| @@ -107,11 +107,11 @@ | ||
| 107 | 107 | } |
| 108 | 108 | wanted -= got; |
| 109 | 109 | } |
| 110 | 110 | fclose(out); |
| 111 | 111 | out = 0; |
| 112 | - sqlite3_snprintf(sizeof(zCmd), zCmd, "\"%s\" http \"%s\" %s %s %s%s", | |
| 112 | + sqlite3_snprintf(sizeof(zCmd), zCmd, "\"%s\" http \"%s\" %s %s %s --nossl%s", | |
| 113 | 113 | fossil_nameofexe(), g.zRepositoryName, zRequestFName, zReplyFName, |
| 114 | 114 | inet_ntoa(p->addr.sin_addr), p->zOptions |
| 115 | 115 | ); |
| 116 | 116 | fossil_system(zCmd); |
| 117 | 117 | in = fopen(zReplyFName, "rb"); |
| 118 | 118 |
| --- src/winhttp.c | |
| +++ src/winhttp.c | |
| @@ -107,11 +107,11 @@ | |
| 107 | } |
| 108 | wanted -= got; |
| 109 | } |
| 110 | fclose(out); |
| 111 | out = 0; |
| 112 | sqlite3_snprintf(sizeof(zCmd), zCmd, "\"%s\" http \"%s\" %s %s %s%s", |
| 113 | fossil_nameofexe(), g.zRepositoryName, zRequestFName, zReplyFName, |
| 114 | inet_ntoa(p->addr.sin_addr), p->zOptions |
| 115 | ); |
| 116 | fossil_system(zCmd); |
| 117 | in = fopen(zReplyFName, "rb"); |
| 118 |
| --- src/winhttp.c | |
| +++ src/winhttp.c | |
| @@ -107,11 +107,11 @@ | |
| 107 | } |
| 108 | wanted -= got; |
| 109 | } |
| 110 | fclose(out); |
| 111 | out = 0; |
| 112 | sqlite3_snprintf(sizeof(zCmd), zCmd, "\"%s\" http \"%s\" %s %s %s --nossl%s", |
| 113 | fossil_nameofexe(), g.zRepositoryName, zRequestFName, zReplyFName, |
| 114 | inet_ntoa(p->addr.sin_addr), p->zOptions |
| 115 | ); |
| 116 | fossil_system(zCmd); |
| 117 | in = fopen(zReplyFName, "rb"); |
| 118 |