Fossil SCM

Security fix in [7df48cb2995cd775]: Only give the user an anonymous login if anonymous logins are enabled.

drh 2024-08-23 09:17 trunk

Commit d6bbf550e73fe07f4e2720cd91504e11c0c4df557c47708bdd8aae0b91427786

Parent 7df48cb2995cd77…

1 file changed +3 -1

M src/login.c

+3 -1

		--- src/login.c
		+++ src/login.c
		@@ -1455,11 +1455,13 @@
1455	1455	record_login_attempt(zUser, zIpAddr, 1);
1456	1456	}else{
1457	1457	/* The login cookie is a valid login for project CODE, but no
1458	1458	** user named USER exists on this repository. Cannot login as
1459	1459	** USER, but at least give them "anonymous" login. */
1460		- uid = db_int(0, "SELECT uid FROM user WHERE login='anonymous'");
	1460	+ uid = db_int(0, "SELECT uid FROM user WHERE login='anonymous'"
	1461	+ " AND octet_length(cap)>0"
	1462	+ " AND octet_length(pw)>0");
1461	1463	}
1462	1464	}
1463	1465	}
1464	1466	login_create_csrf_secret(zHash);
1465	1467	}
1466	1468

	--- src/login.c
	+++ src/login.c
	@@ -1455,11 +1455,13 @@
1455	record_login_attempt(zUser, zIpAddr, 1);
1456	}else{
1457	/* The login cookie is a valid login for project CODE, but no
1458	** user named USER exists on this repository. Cannot login as
1459	** USER, but at least give them "anonymous" login. */
1460	uid = db_int(0, "SELECT uid FROM user WHERE login='anonymous'");


1461	}
1462	}
1463	}
1464	login_create_csrf_secret(zHash);
1465	}
1466

	--- src/login.c
	+++ src/login.c
	@@ -1455,11 +1455,13 @@
1455	record_login_attempt(zUser, zIpAddr, 1);
1456	}else{
1457	/* The login cookie is a valid login for project CODE, but no
1458	** user named USER exists on this repository. Cannot login as
1459	** USER, but at least give them "anonymous" login. */
1460	uid = db_int(0, "SELECT uid FROM user WHERE login='anonymous'"
1461	" AND octet_length(cap)>0"
1462	" AND octet_length(pw)>0");
1463	}
1464	}
1465	}
1466	login_create_csrf_secret(zHash);
1467	}
1468