Fossil SCM
Provide a warning on the security-audit page if any of the TH1 scripts that run during a syncm, push, pull, or clone are configured.
Commit
cfb5be41896928643dd108d79d9fcb0df383a10ac6495cef0e613bcfd26bd41d
Parent
2ae7a5160ffde01…
1 file changed
+11
+11
| --- src/security_audit.c | ||
| +++ src/security_audit.c | ||
| @@ -281,10 +281,21 @@ | ||
| 281 | 281 | @ <p>Fix this by removing the "Mod-Wiki", "Mod-Tkt", and "Mod-Forum" |
| 282 | 282 | @ privileges (<a href="%R/setup_ucap_list">capabilities</a> "fq5") |
| 283 | 283 | @ from users "anonymous" and "nobody" |
| 284 | 284 | @ on the <a href="setup_ulist">User Configuration</a> page. |
| 285 | 285 | } |
| 286 | + | |
| 287 | + /* Check to see if any TH1 scripts are configured to run on a sync | |
| 288 | + */ | |
| 289 | + if( db_exists("SELECT 1 FROM config WHERE name GLOB 'xfer-*-script'" | |
| 290 | + " AND length(value)>0") ){ | |
| 291 | + @ <li><p><b>WARNING:</b> | |
| 292 | + @ TH1 scripts might be configured to run on any sync, push, pull, or | |
| 293 | + @ clone operation. See the the <a href="%R/xfersetup">/xfersetup</a> | |
| 294 | + @ page for more information. These TH1 scripts are a potential | |
| 295 | + @ security concern and so should be carefully audited by a human. | |
| 296 | + } | |
| 286 | 297 | |
| 287 | 298 | /* The strict-manifest-syntax setting should be on. */ |
| 288 | 299 | if( db_get_boolean("strict-manifest-syntax",1)==0 ){ |
| 289 | 300 | @ <li><p><b>WARNING:</b> |
| 290 | 301 | @ The "strict-manifest-syntax" flag is off. This is a security |
| 291 | 302 |
| --- src/security_audit.c | |
| +++ src/security_audit.c | |
| @@ -281,10 +281,21 @@ | |
| 281 | @ <p>Fix this by removing the "Mod-Wiki", "Mod-Tkt", and "Mod-Forum" |
| 282 | @ privileges (<a href="%R/setup_ucap_list">capabilities</a> "fq5") |
| 283 | @ from users "anonymous" and "nobody" |
| 284 | @ on the <a href="setup_ulist">User Configuration</a> page. |
| 285 | } |
| 286 | |
| 287 | /* The strict-manifest-syntax setting should be on. */ |
| 288 | if( db_get_boolean("strict-manifest-syntax",1)==0 ){ |
| 289 | @ <li><p><b>WARNING:</b> |
| 290 | @ The "strict-manifest-syntax" flag is off. This is a security |
| 291 |
| --- src/security_audit.c | |
| +++ src/security_audit.c | |
| @@ -281,10 +281,21 @@ | |
| 281 | @ <p>Fix this by removing the "Mod-Wiki", "Mod-Tkt", and "Mod-Forum" |
| 282 | @ privileges (<a href="%R/setup_ucap_list">capabilities</a> "fq5") |
| 283 | @ from users "anonymous" and "nobody" |
| 284 | @ on the <a href="setup_ulist">User Configuration</a> page. |
| 285 | } |
| 286 | |
| 287 | /* Check to see if any TH1 scripts are configured to run on a sync |
| 288 | */ |
| 289 | if( db_exists("SELECT 1 FROM config WHERE name GLOB 'xfer-*-script'" |
| 290 | " AND length(value)>0") ){ |
| 291 | @ <li><p><b>WARNING:</b> |
| 292 | @ TH1 scripts might be configured to run on any sync, push, pull, or |
| 293 | @ clone operation. See the the <a href="%R/xfersetup">/xfersetup</a> |
| 294 | @ page for more information. These TH1 scripts are a potential |
| 295 | @ security concern and so should be carefully audited by a human. |
| 296 | } |
| 297 | |
| 298 | /* The strict-manifest-syntax setting should be on. */ |
| 299 | if( db_get_boolean("strict-manifest-syntax",1)==0 ){ |
| 300 | @ <li><p><b>WARNING:</b> |
| 301 | @ The "strict-manifest-syntax" flag is off. This is a security |
| 302 |