Fossil SCM
Fixed the 'add' Windows-reserved filename check to work with both filename and directory name input. It now always warns for such named s but permits them if --allow-reserved is used.
Commit
d0a8582e014d0a9fe749a58f90a6325eb8572a4686d35e6e0100f8d84e1fc110
Parent
5c5aa19cc5098ac…
3 files changed
+28
-11
+19
+4
-7
+28
-11
| --- src/add.c | ||
| +++ src/add.c | ||
| @@ -439,21 +439,10 @@ | ||
| 439 | 439 | Blob fullName = empty_blob; |
| 440 | 440 | |
| 441 | 441 | /* file_tree_name() throws a fatal error if g.argv[i] is outside of the |
| 442 | 442 | ** checkout. */ |
| 443 | 443 | file_tree_name(g.argv[i], &fullName, 0, 1); |
| 444 | - if(0==allowReservedFlag | |
| 445 | - && 0!=file_is_win_reserved(blob_str(&fullName))){ | |
| 446 | - /* Note that the 'add' internal machinery already _silently_ | |
| 447 | - ** skips over any names for which file_is_reserved_name() | |
| 448 | - ** returns true or which is in the fossil_reserved_name() | |
| 449 | - ** list. We do not need to warn for those, as they're outright | |
| 450 | - ** verboten. */ | |
| 451 | - fossil_fatal("Filename is reserved: %b\n" | |
| 452 | - "Use --allow-reserved to permit " | |
| 453 | - "reserved filenames.", &fullName); | |
| 454 | - } | |
| 455 | 444 | blob_reset(&fullName); |
| 456 | 445 | file_canonical_name(g.argv[i], &fullName, 0); |
| 457 | 446 | zName = blob_str(&fullName); |
| 458 | 447 | isDir = file_isdir(zName, RepoFILE); |
| 459 | 448 | if( isDir==1 ){ |
| @@ -486,10 +475,38 @@ | ||
| 486 | 475 | blob_reset(&fullName); |
| 487 | 476 | } |
| 488 | 477 | glob_free(pIgnore); |
| 489 | 478 | glob_free(pClean); |
| 490 | 479 | |
| 480 | + /** Check for Windows-reserved names and warn or exit, as | |
| 481 | + ** appopriate. Note that the 'add' internal machinery already | |
| 482 | + ** _silently_ skips over any names for which | |
| 483 | + ** file_is_reserved_name() returns true or which is in the | |
| 484 | + ** fossil_reserved_name() list. We do not need to warn for those, | |
| 485 | + ** as they're outright verboten. */ | |
| 486 | + if(db_exists("SELECT 1 FROM sfile WHERE win_reserved(pathname)")){ | |
| 487 | + Stmt q = empty_Stmt; | |
| 488 | + db_prepare(&q,"SELECT pathname FROM sfile " | |
| 489 | + "WHERE win_reserved(pathname)"); | |
| 490 | + int reservedCount = 0; | |
| 491 | + while( db_step(&q)==SQLITE_ROW ){ | |
| 492 | + const char * zName = db_column_text(&q, 0); | |
| 493 | + ++reservedCount; | |
| 494 | + if(allowReservedFlag){ | |
| 495 | + fossil_warning("WARNING: Windows-reserved " | |
| 496 | + "filename: %s", zName); | |
| 497 | + }else{ | |
| 498 | + fossil_warning("ERROR: Windows-reserved filename: %s", zName); | |
| 499 | + } | |
| 500 | + } | |
| 501 | + db_finalize(&q); | |
| 502 | + if(allowReservedFlag==0){ | |
| 503 | + fossil_fatal("ERROR: %d Windows-reserved filename(s) added. " | |
| 504 | + "Use --allow-reserved to permit such names.", | |
| 505 | + reservedCount); | |
| 506 | + } | |
| 507 | + } | |
| 491 | 508 | add_files_in_sfile(vid); |
| 492 | 509 | db_end_transaction(0); |
| 493 | 510 | } |
| 494 | 511 | |
| 495 | 512 | /* |
| 496 | 513 |
| --- src/add.c | |
| +++ src/add.c | |
| @@ -439,21 +439,10 @@ | |
| 439 | Blob fullName = empty_blob; |
| 440 | |
| 441 | /* file_tree_name() throws a fatal error if g.argv[i] is outside of the |
| 442 | ** checkout. */ |
| 443 | file_tree_name(g.argv[i], &fullName, 0, 1); |
| 444 | if(0==allowReservedFlag |
| 445 | && 0!=file_is_win_reserved(blob_str(&fullName))){ |
| 446 | /* Note that the 'add' internal machinery already _silently_ |
| 447 | ** skips over any names for which file_is_reserved_name() |
| 448 | ** returns true or which is in the fossil_reserved_name() |
| 449 | ** list. We do not need to warn for those, as they're outright |
| 450 | ** verboten. */ |
| 451 | fossil_fatal("Filename is reserved: %b\n" |
| 452 | "Use --allow-reserved to permit " |
| 453 | "reserved filenames.", &fullName); |
| 454 | } |
| 455 | blob_reset(&fullName); |
| 456 | file_canonical_name(g.argv[i], &fullName, 0); |
| 457 | zName = blob_str(&fullName); |
| 458 | isDir = file_isdir(zName, RepoFILE); |
| 459 | if( isDir==1 ){ |
| @@ -486,10 +475,38 @@ | |
| 486 | blob_reset(&fullName); |
| 487 | } |
| 488 | glob_free(pIgnore); |
| 489 | glob_free(pClean); |
| 490 | |
| 491 | add_files_in_sfile(vid); |
| 492 | db_end_transaction(0); |
| 493 | } |
| 494 | |
| 495 | /* |
| 496 |
| --- src/add.c | |
| +++ src/add.c | |
| @@ -439,21 +439,10 @@ | |
| 439 | Blob fullName = empty_blob; |
| 440 | |
| 441 | /* file_tree_name() throws a fatal error if g.argv[i] is outside of the |
| 442 | ** checkout. */ |
| 443 | file_tree_name(g.argv[i], &fullName, 0, 1); |
| 444 | blob_reset(&fullName); |
| 445 | file_canonical_name(g.argv[i], &fullName, 0); |
| 446 | zName = blob_str(&fullName); |
| 447 | isDir = file_isdir(zName, RepoFILE); |
| 448 | if( isDir==1 ){ |
| @@ -486,10 +475,38 @@ | |
| 475 | blob_reset(&fullName); |
| 476 | } |
| 477 | glob_free(pIgnore); |
| 478 | glob_free(pClean); |
| 479 | |
| 480 | /** Check for Windows-reserved names and warn or exit, as |
| 481 | ** appopriate. Note that the 'add' internal machinery already |
| 482 | ** _silently_ skips over any names for which |
| 483 | ** file_is_reserved_name() returns true or which is in the |
| 484 | ** fossil_reserved_name() list. We do not need to warn for those, |
| 485 | ** as they're outright verboten. */ |
| 486 | if(db_exists("SELECT 1 FROM sfile WHERE win_reserved(pathname)")){ |
| 487 | Stmt q = empty_Stmt; |
| 488 | db_prepare(&q,"SELECT pathname FROM sfile " |
| 489 | "WHERE win_reserved(pathname)"); |
| 490 | int reservedCount = 0; |
| 491 | while( db_step(&q)==SQLITE_ROW ){ |
| 492 | const char * zName = db_column_text(&q, 0); |
| 493 | ++reservedCount; |
| 494 | if(allowReservedFlag){ |
| 495 | fossil_warning("WARNING: Windows-reserved " |
| 496 | "filename: %s", zName); |
| 497 | }else{ |
| 498 | fossil_warning("ERROR: Windows-reserved filename: %s", zName); |
| 499 | } |
| 500 | } |
| 501 | db_finalize(&q); |
| 502 | if(allowReservedFlag==0){ |
| 503 | fossil_fatal("ERROR: %d Windows-reserved filename(s) added. " |
| 504 | "Use --allow-reserved to permit such names.", |
| 505 | reservedCount); |
| 506 | } |
| 507 | } |
| 508 | add_files_in_sfile(vid); |
| 509 | db_end_transaction(0); |
| 510 | } |
| 511 | |
| 512 | /* |
| 513 |
M
src/db.c
+19
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -1376,10 +1376,13 @@ | ||
| 1376 | 1376 | alert_display_name_func, 0, 0); |
| 1377 | 1377 | sqlite3_create_function(db, "obscure", 1, SQLITE_UTF8, 0, |
| 1378 | 1378 | db_obscure, 0, 0); |
| 1379 | 1379 | sqlite3_create_function(db, "protected_setting", 1, SQLITE_UTF8, 0, |
| 1380 | 1380 | db_protected_setting_func, 0, 0); |
| 1381 | + sqlite3_create_function(db, "win_reserved", 1, SQLITE_UTF8, 0, | |
| 1382 | + db_win_reserved_func,0,0 | |
| 1383 | + ); | |
| 1381 | 1384 | } |
| 1382 | 1385 | |
| 1383 | 1386 | #if USE_SEE |
| 1384 | 1387 | /* |
| 1385 | 1388 | ** This is a pointer to the saved database encryption key string. |
| @@ -2876,10 +2879,26 @@ | ||
| 2876 | 2879 | assert( rc==0 || rc==1 ); |
| 2877 | 2880 | if( sqlite3_value_type(argv[2-rc])==SQLITE_NULL ) rc = 1-rc; |
| 2878 | 2881 | sqlite3_result_value(context, argv[2-rc]); |
| 2879 | 2882 | } |
| 2880 | 2883 | } |
| 2884 | + | |
| 2885 | +/* | |
| 2886 | +** Implementation of the "win_reserved(X)" SQL function, a wrapper | |
| 2887 | +** for file_is_win_reserved(X) which returns true if X is | |
| 2888 | +** a Windows-reserved filename. | |
| 2889 | +*/ | |
| 2890 | +LOCAL void db_win_reserved_func( | |
| 2891 | + sqlite3_context *context, | |
| 2892 | + int argc, | |
| 2893 | + sqlite3_value **argv | |
| 2894 | +){ | |
| 2895 | + const char * zName = (const char *)sqlite3_value_text(argv[0]); | |
| 2896 | + if( zName!=0 ){ | |
| 2897 | + sqlite3_result_int(context, file_is_win_reserved(zName)!=0); | |
| 2898 | + } | |
| 2899 | +} | |
| 2881 | 2900 | |
| 2882 | 2901 | /* |
| 2883 | 2902 | ** Convert the input string into a artifact hash. Make a notation in the |
| 2884 | 2903 | ** CONCEALED table so that the hash can be undo using the db_reveal() |
| 2885 | 2904 | ** function at some later time. |
| 2886 | 2905 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1376,10 +1376,13 @@ | |
| 1376 | alert_display_name_func, 0, 0); |
| 1377 | sqlite3_create_function(db, "obscure", 1, SQLITE_UTF8, 0, |
| 1378 | db_obscure, 0, 0); |
| 1379 | sqlite3_create_function(db, "protected_setting", 1, SQLITE_UTF8, 0, |
| 1380 | db_protected_setting_func, 0, 0); |
| 1381 | } |
| 1382 | |
| 1383 | #if USE_SEE |
| 1384 | /* |
| 1385 | ** This is a pointer to the saved database encryption key string. |
| @@ -2876,10 +2879,26 @@ | |
| 2876 | assert( rc==0 || rc==1 ); |
| 2877 | if( sqlite3_value_type(argv[2-rc])==SQLITE_NULL ) rc = 1-rc; |
| 2878 | sqlite3_result_value(context, argv[2-rc]); |
| 2879 | } |
| 2880 | } |
| 2881 | |
| 2882 | /* |
| 2883 | ** Convert the input string into a artifact hash. Make a notation in the |
| 2884 | ** CONCEALED table so that the hash can be undo using the db_reveal() |
| 2885 | ** function at some later time. |
| 2886 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1376,10 +1376,13 @@ | |
| 1376 | alert_display_name_func, 0, 0); |
| 1377 | sqlite3_create_function(db, "obscure", 1, SQLITE_UTF8, 0, |
| 1378 | db_obscure, 0, 0); |
| 1379 | sqlite3_create_function(db, "protected_setting", 1, SQLITE_UTF8, 0, |
| 1380 | db_protected_setting_func, 0, 0); |
| 1381 | sqlite3_create_function(db, "win_reserved", 1, SQLITE_UTF8, 0, |
| 1382 | db_win_reserved_func,0,0 |
| 1383 | ); |
| 1384 | } |
| 1385 | |
| 1386 | #if USE_SEE |
| 1387 | /* |
| 1388 | ** This is a pointer to the saved database encryption key string. |
| @@ -2876,10 +2879,26 @@ | |
| 2879 | assert( rc==0 || rc==1 ); |
| 2880 | if( sqlite3_value_type(argv[2-rc])==SQLITE_NULL ) rc = 1-rc; |
| 2881 | sqlite3_result_value(context, argv[2-rc]); |
| 2882 | } |
| 2883 | } |
| 2884 | |
| 2885 | /* |
| 2886 | ** Implementation of the "win_reserved(X)" SQL function, a wrapper |
| 2887 | ** for file_is_win_reserved(X) which returns true if X is |
| 2888 | ** a Windows-reserved filename. |
| 2889 | */ |
| 2890 | LOCAL void db_win_reserved_func( |
| 2891 | sqlite3_context *context, |
| 2892 | int argc, |
| 2893 | sqlite3_value **argv |
| 2894 | ){ |
| 2895 | const char * zName = (const char *)sqlite3_value_text(argv[0]); |
| 2896 | if( zName!=0 ){ |
| 2897 | sqlite3_result_int(context, file_is_win_reserved(zName)!=0); |
| 2898 | } |
| 2899 | } |
| 2900 | |
| 2901 | /* |
| 2902 | ** Convert the input string into a artifact hash. Make a notation in the |
| 2903 | ** CONCEALED table so that the hash can be undo using the db_reveal() |
| 2904 | ** function at some later time. |
| 2905 |
+4
-7
| --- src/sqlcmd.c | ||
| +++ src/sqlcmd.c | ||
| @@ -146,12 +146,12 @@ | ||
| 146 | 146 | ){ |
| 147 | 147 | gather_artifact_stats(1); |
| 148 | 148 | } |
| 149 | 149 | |
| 150 | 150 | /* |
| 151 | -** Add the content(), compress(), and decompress() SQL functions to | |
| 152 | -** database connection db. | |
| 151 | +** Add the content(), compress(), decompress(), and | |
| 152 | +** gather_artifact_stats() SQL functions to database connection db. | |
| 153 | 153 | */ |
| 154 | 154 | int add_content_sql_commands(sqlite3 *db){ |
| 155 | 155 | sqlite3_create_function(db, "content", 1, SQLITE_UTF8, 0, |
| 156 | 156 | sqlcmd_content, 0, 0); |
| 157 | 157 | sqlite3_create_function(db, "compress", 1, SQLITE_UTF8, 0, |
| @@ -171,18 +171,18 @@ | ||
| 171 | 171 | ** |
| 172 | 172 | ** These invoke the corresponding C routines. |
| 173 | 173 | ** |
| 174 | 174 | ** WARNING: |
| 175 | 175 | ** Do not instantiate these functions for any Fossil webpage or command |
| 176 | -** method of than the "fossil sql" command. If an attacker gains access | |
| 176 | +** method other than the "fossil sql" command. If an attacker gains access | |
| 177 | 177 | ** to these functions, he will be able to disable other defense mechanisms. |
| 178 | 178 | ** |
| 179 | 179 | ** This routines are for interactiving testing only. They are experimental |
| 180 | 180 | ** and undocumented (apart from this comments) and might go away or change |
| 181 | 181 | ** in future releases. |
| 182 | 182 | ** |
| 183 | -** 2020-11-29: This functions are now only available if the "fossil sql" | |
| 183 | +** 2020-11-29: These functions are now only available if the "fossil sql" | |
| 184 | 184 | ** command is started with the --test option. |
| 185 | 185 | */ |
| 186 | 186 | static void sqlcmd_db_protect( |
| 187 | 187 | sqlite3_context *context, |
| 188 | 188 | int argc, |
| @@ -204,13 +204,10 @@ | ||
| 204 | 204 | int argc, |
| 205 | 205 | sqlite3_value **argv |
| 206 | 206 | ){ |
| 207 | 207 | if( !local_bSqlCmdTest ) db_protect_pop(); |
| 208 | 208 | } |
| 209 | - | |
| 210 | - | |
| 211 | - | |
| 212 | 209 | |
| 213 | 210 | /* |
| 214 | 211 | ** This is the "automatic extension" initializer that runs right after |
| 215 | 212 | ** the connection to the repository database is opened. Set up the |
| 216 | 213 | ** database connection to be more useful to the human operator. |
| 217 | 214 |
| --- src/sqlcmd.c | |
| +++ src/sqlcmd.c | |
| @@ -146,12 +146,12 @@ | |
| 146 | ){ |
| 147 | gather_artifact_stats(1); |
| 148 | } |
| 149 | |
| 150 | /* |
| 151 | ** Add the content(), compress(), and decompress() SQL functions to |
| 152 | ** database connection db. |
| 153 | */ |
| 154 | int add_content_sql_commands(sqlite3 *db){ |
| 155 | sqlite3_create_function(db, "content", 1, SQLITE_UTF8, 0, |
| 156 | sqlcmd_content, 0, 0); |
| 157 | sqlite3_create_function(db, "compress", 1, SQLITE_UTF8, 0, |
| @@ -171,18 +171,18 @@ | |
| 171 | ** |
| 172 | ** These invoke the corresponding C routines. |
| 173 | ** |
| 174 | ** WARNING: |
| 175 | ** Do not instantiate these functions for any Fossil webpage or command |
| 176 | ** method of than the "fossil sql" command. If an attacker gains access |
| 177 | ** to these functions, he will be able to disable other defense mechanisms. |
| 178 | ** |
| 179 | ** This routines are for interactiving testing only. They are experimental |
| 180 | ** and undocumented (apart from this comments) and might go away or change |
| 181 | ** in future releases. |
| 182 | ** |
| 183 | ** 2020-11-29: This functions are now only available if the "fossil sql" |
| 184 | ** command is started with the --test option. |
| 185 | */ |
| 186 | static void sqlcmd_db_protect( |
| 187 | sqlite3_context *context, |
| 188 | int argc, |
| @@ -204,13 +204,10 @@ | |
| 204 | int argc, |
| 205 | sqlite3_value **argv |
| 206 | ){ |
| 207 | if( !local_bSqlCmdTest ) db_protect_pop(); |
| 208 | } |
| 209 | |
| 210 | |
| 211 | |
| 212 | |
| 213 | /* |
| 214 | ** This is the "automatic extension" initializer that runs right after |
| 215 | ** the connection to the repository database is opened. Set up the |
| 216 | ** database connection to be more useful to the human operator. |
| 217 |
| --- src/sqlcmd.c | |
| +++ src/sqlcmd.c | |
| @@ -146,12 +146,12 @@ | |
| 146 | ){ |
| 147 | gather_artifact_stats(1); |
| 148 | } |
| 149 | |
| 150 | /* |
| 151 | ** Add the content(), compress(), decompress(), and |
| 152 | ** gather_artifact_stats() SQL functions to database connection db. |
| 153 | */ |
| 154 | int add_content_sql_commands(sqlite3 *db){ |
| 155 | sqlite3_create_function(db, "content", 1, SQLITE_UTF8, 0, |
| 156 | sqlcmd_content, 0, 0); |
| 157 | sqlite3_create_function(db, "compress", 1, SQLITE_UTF8, 0, |
| @@ -171,18 +171,18 @@ | |
| 171 | ** |
| 172 | ** These invoke the corresponding C routines. |
| 173 | ** |
| 174 | ** WARNING: |
| 175 | ** Do not instantiate these functions for any Fossil webpage or command |
| 176 | ** method other than the "fossil sql" command. If an attacker gains access |
| 177 | ** to these functions, he will be able to disable other defense mechanisms. |
| 178 | ** |
| 179 | ** This routines are for interactiving testing only. They are experimental |
| 180 | ** and undocumented (apart from this comments) and might go away or change |
| 181 | ** in future releases. |
| 182 | ** |
| 183 | ** 2020-11-29: These functions are now only available if the "fossil sql" |
| 184 | ** command is started with the --test option. |
| 185 | */ |
| 186 | static void sqlcmd_db_protect( |
| 187 | sqlite3_context *context, |
| 188 | int argc, |
| @@ -204,13 +204,10 @@ | |
| 204 | int argc, |
| 205 | sqlite3_value **argv |
| 206 | ){ |
| 207 | if( !local_bSqlCmdTest ) db_protect_pop(); |
| 208 | } |
| 209 | |
| 210 | /* |
| 211 | ** This is the "automatic extension" initializer that runs right after |
| 212 | ** the connection to the repository database is opened. Set up the |
| 213 | ** database connection to be more useful to the human operator. |
| 214 |