Fossil SCM
Provide the option to force all web page requests to go over HTTPS.
Commit
f372e18979177614b552a5ddca34daa96a0a199c811e367442b33f66b3619e3f
Parent
742d64d916facd8…
4 files changed
+2
-41
+52
+16
-8
+2
-2
+2
-41
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -549,34 +549,11 @@ | ||
| 549 | 549 | const char *zIpAddr; /* IP address of requestor */ |
| 550 | 550 | const char *zReferer; |
| 551 | 551 | int noAnon = P("noanon")!=0; |
| 552 | 552 | |
| 553 | 553 | login_check_credentials(); |
| 554 | - if( login_wants_https_redirect() ){ | |
| 555 | - const char *zQS = P("QUERY_STRING"); | |
| 556 | - if( P("redir")!=0 ){ | |
| 557 | - style_header("Insecure Connection"); | |
| 558 | - @ <h1>Unable To Establish An Encrypted Connection</h1> | |
| 559 | - @ <p>This website requires that login credentials be sent over | |
| 560 | - @ an encrypted connection. The current connection is not encrypted | |
| 561 | - @ across the entire route between your browser and the server. | |
| 562 | - @ An attempt was made to redirect to %h(g.zHttpsURL) but | |
| 563 | - @ the connection is still insecure even after the redirect.</p> | |
| 564 | - @ <p>This is probably some kind of configuration problem. Please | |
| 565 | - @ contact your sysadmin.</p> | |
| 566 | - @ <p>Sorry it did not work out.</p> | |
| 567 | - style_footer(); | |
| 568 | - return; | |
| 569 | - } | |
| 570 | - if( zQS==0 ){ | |
| 571 | - zQS = "?redir=1"; | |
| 572 | - }else if( zQS[0]!=0 ){ | |
| 573 | - zQS = mprintf("?%s&redir=1", zQS); | |
| 574 | - } | |
| 575 | - cgi_redirectf("%s%T%s", g.zHttpsURL, P("PATH_INFO"), zQS); | |
| 576 | - return; | |
| 577 | - } | |
| 554 | + fossil_redirect_to_https_if_needed(1); | |
| 578 | 555 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| 579 | 556 | constant_time_cmp_function, 0, 0); |
| 580 | 557 | zUsername = P("u"); |
| 581 | 558 | zPasswd = P("p"); |
| 582 | 559 | anonFlag = g.zLogin==0 && PB("anon"); |
| @@ -914,26 +891,10 @@ | ||
| 914 | 891 | " AND constant_time_cmp(cookie,%Q)=0", |
| 915 | 892 | zLogin, zRemoteAddr, zCookie |
| 916 | 893 | ); |
| 917 | 894 | return uid; |
| 918 | 895 | } |
| 919 | - | |
| 920 | -/* | |
| 921 | -** Return true if it is appropriate to redirect login requests to HTTPS. | |
| 922 | -** | |
| 923 | -** Redirect to https is appropriate if all of the above are true: | |
| 924 | -** (1) The redirect-to-https flag is set | |
| 925 | -** (2) The current connection is http, not https or ssh | |
| 926 | -** (3) The sslNotAvailable flag is clear | |
| 927 | -*/ | |
| 928 | -int login_wants_https_redirect(void){ | |
| 929 | - if( g.sslNotAvailable ) return 0; | |
| 930 | - if( db_get_boolean("redirect-to-https",0)==0 ) return 0; | |
| 931 | - if( P("HTTPS")!=0 ) return 0; | |
| 932 | - return 1; | |
| 933 | -} | |
| 934 | - | |
| 935 | 896 | |
| 936 | 897 | /* |
| 937 | 898 | ** Attempt to use Basic Authentication to establish the user. Return the |
| 938 | 899 | ** (non-zero) uid if successful. Return 0 if it does not work. |
| 939 | 900 | */ |
| @@ -1461,11 +1422,11 @@ | ||
| 1461 | 1422 | { |
| 1462 | 1423 | const char *zUrl = PD("REQUEST_URI", "index"); |
| 1463 | 1424 | const char *zQS = P("QUERY_STRING"); |
| 1464 | 1425 | Blob redir; |
| 1465 | 1426 | blob_init(&redir, 0, 0); |
| 1466 | - if( login_wants_https_redirect() && !g.sslNotAvailable ){ | |
| 1427 | + if( fossil_wants_https(1) ){ | |
| 1467 | 1428 | blob_appendf(&redir, "%s/login?g=%T", g.zHttpsURL, zUrl); |
| 1468 | 1429 | }else{ |
| 1469 | 1430 | blob_appendf(&redir, "%R/login?g=%T", zUrl); |
| 1470 | 1431 | } |
| 1471 | 1432 | if( anonOk ) blob_append(&redir, "&anon", 5); |
| 1472 | 1433 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -549,34 +549,11 @@ | |
| 549 | const char *zIpAddr; /* IP address of requestor */ |
| 550 | const char *zReferer; |
| 551 | int noAnon = P("noanon")!=0; |
| 552 | |
| 553 | login_check_credentials(); |
| 554 | if( login_wants_https_redirect() ){ |
| 555 | const char *zQS = P("QUERY_STRING"); |
| 556 | if( P("redir")!=0 ){ |
| 557 | style_header("Insecure Connection"); |
| 558 | @ <h1>Unable To Establish An Encrypted Connection</h1> |
| 559 | @ <p>This website requires that login credentials be sent over |
| 560 | @ an encrypted connection. The current connection is not encrypted |
| 561 | @ across the entire route between your browser and the server. |
| 562 | @ An attempt was made to redirect to %h(g.zHttpsURL) but |
| 563 | @ the connection is still insecure even after the redirect.</p> |
| 564 | @ <p>This is probably some kind of configuration problem. Please |
| 565 | @ contact your sysadmin.</p> |
| 566 | @ <p>Sorry it did not work out.</p> |
| 567 | style_footer(); |
| 568 | return; |
| 569 | } |
| 570 | if( zQS==0 ){ |
| 571 | zQS = "?redir=1"; |
| 572 | }else if( zQS[0]!=0 ){ |
| 573 | zQS = mprintf("?%s&redir=1", zQS); |
| 574 | } |
| 575 | cgi_redirectf("%s%T%s", g.zHttpsURL, P("PATH_INFO"), zQS); |
| 576 | return; |
| 577 | } |
| 578 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| 579 | constant_time_cmp_function, 0, 0); |
| 580 | zUsername = P("u"); |
| 581 | zPasswd = P("p"); |
| 582 | anonFlag = g.zLogin==0 && PB("anon"); |
| @@ -914,26 +891,10 @@ | |
| 914 | " AND constant_time_cmp(cookie,%Q)=0", |
| 915 | zLogin, zRemoteAddr, zCookie |
| 916 | ); |
| 917 | return uid; |
| 918 | } |
| 919 | |
| 920 | /* |
| 921 | ** Return true if it is appropriate to redirect login requests to HTTPS. |
| 922 | ** |
| 923 | ** Redirect to https is appropriate if all of the above are true: |
| 924 | ** (1) The redirect-to-https flag is set |
| 925 | ** (2) The current connection is http, not https or ssh |
| 926 | ** (3) The sslNotAvailable flag is clear |
| 927 | */ |
| 928 | int login_wants_https_redirect(void){ |
| 929 | if( g.sslNotAvailable ) return 0; |
| 930 | if( db_get_boolean("redirect-to-https",0)==0 ) return 0; |
| 931 | if( P("HTTPS")!=0 ) return 0; |
| 932 | return 1; |
| 933 | } |
| 934 | |
| 935 | |
| 936 | /* |
| 937 | ** Attempt to use Basic Authentication to establish the user. Return the |
| 938 | ** (non-zero) uid if successful. Return 0 if it does not work. |
| 939 | */ |
| @@ -1461,11 +1422,11 @@ | |
| 1461 | { |
| 1462 | const char *zUrl = PD("REQUEST_URI", "index"); |
| 1463 | const char *zQS = P("QUERY_STRING"); |
| 1464 | Blob redir; |
| 1465 | blob_init(&redir, 0, 0); |
| 1466 | if( login_wants_https_redirect() && !g.sslNotAvailable ){ |
| 1467 | blob_appendf(&redir, "%s/login?g=%T", g.zHttpsURL, zUrl); |
| 1468 | }else{ |
| 1469 | blob_appendf(&redir, "%R/login?g=%T", zUrl); |
| 1470 | } |
| 1471 | if( anonOk ) blob_append(&redir, "&anon", 5); |
| 1472 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -549,34 +549,11 @@ | |
| 549 | const char *zIpAddr; /* IP address of requestor */ |
| 550 | const char *zReferer; |
| 551 | int noAnon = P("noanon")!=0; |
| 552 | |
| 553 | login_check_credentials(); |
| 554 | fossil_redirect_to_https_if_needed(1); |
| 555 | sqlite3_create_function(g.db, "constant_time_cmp", 2, SQLITE_UTF8, 0, |
| 556 | constant_time_cmp_function, 0, 0); |
| 557 | zUsername = P("u"); |
| 558 | zPasswd = P("p"); |
| 559 | anonFlag = g.zLogin==0 && PB("anon"); |
| @@ -914,26 +891,10 @@ | |
| 891 | " AND constant_time_cmp(cookie,%Q)=0", |
| 892 | zLogin, zRemoteAddr, zCookie |
| 893 | ); |
| 894 | return uid; |
| 895 | } |
| 896 | |
| 897 | /* |
| 898 | ** Attempt to use Basic Authentication to establish the user. Return the |
| 899 | ** (non-zero) uid if successful. Return 0 if it does not work. |
| 900 | */ |
| @@ -1461,11 +1422,11 @@ | |
| 1422 | { |
| 1423 | const char *zUrl = PD("REQUEST_URI", "index"); |
| 1424 | const char *zQS = P("QUERY_STRING"); |
| 1425 | Blob redir; |
| 1426 | blob_init(&redir, 0, 0); |
| 1427 | if( fossil_wants_https(1) ){ |
| 1428 | blob_appendf(&redir, "%s/login?g=%T", g.zHttpsURL, zUrl); |
| 1429 | }else{ |
| 1430 | blob_appendf(&redir, "%R/login?g=%T", zUrl); |
| 1431 | } |
| 1432 | if( anonOk ) blob_append(&redir, "&anon", 5); |
| 1433 |
+52
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -1334,10 +1334,56 @@ | ||
| 1334 | 1334 | } |
| 1335 | 1335 | #endif |
| 1336 | 1336 | db_panic_close(); |
| 1337 | 1337 | exit(1); |
| 1338 | 1338 | } |
| 1339 | + | |
| 1340 | +/* | |
| 1341 | +** Return true if it is appropriate to redirect requests to HTTPS. | |
| 1342 | +** | |
| 1343 | +** Redirect to https is appropriate if all of the above are true: | |
| 1344 | +** (1) The redirect-to-https flag has a valud of iLevel or greater. | |
| 1345 | +** (2) The current connection is http, not https or ssh | |
| 1346 | +** (3) The sslNotAvailable flag is clear | |
| 1347 | +*/ | |
| 1348 | +int fossil_wants_https(int iLevel){ | |
| 1349 | + if( g.sslNotAvailable ) return 0; | |
| 1350 | + if( db_get_int("redirect-to-https",0)<iLevel ) return 0; | |
| 1351 | + if( P("HTTPS")!=0 ) return 0; | |
| 1352 | + return 1; | |
| 1353 | +} | |
| 1354 | + | |
| 1355 | +/* | |
| 1356 | +** Redirect to the equivalent HTTPS request if the current connection is | |
| 1357 | +** insecure and if the redirect-to-https flag greater than or equal to | |
| 1358 | +** iLevel. iLevel is 1 for /login pages and 2 for every other page. | |
| 1359 | +*/ | |
| 1360 | +void fossil_redirect_to_https_if_needed(int iLevel){ | |
| 1361 | + if( fossil_wants_https(iLevel) ){ | |
| 1362 | + const char *zQS = P("QUERY_STRING"); | |
| 1363 | + if( P("redir")!=0 ){ | |
| 1364 | + style_header("Insecure Connection"); | |
| 1365 | + @ <h1>Unable To Establish An Encrypted Connection</h1> | |
| 1366 | + @ <p>This website requires an encrypted connection. | |
| 1367 | + @ The current connection is not encrypted | |
| 1368 | + @ across the entire route between your browser and the server. | |
| 1369 | + @ An attempt was made to redirect to %h(g.zHttpsURL) but | |
| 1370 | + @ the connection is still insecure even after the redirect.</p> | |
| 1371 | + @ <p>This is probably some kind of configuration problem. Please | |
| 1372 | + @ contact your sysadmin.</p> | |
| 1373 | + @ <p>Sorry it did not work out.</p> | |
| 1374 | + style_footer(); | |
| 1375 | + return; | |
| 1376 | + } | |
| 1377 | + if( zQS==0 ){ | |
| 1378 | + zQS = "?redir=1"; | |
| 1379 | + }else if( zQS[0]!=0 ){ | |
| 1380 | + zQS = mprintf("?%s&redir=1", zQS); | |
| 1381 | + } | |
| 1382 | + cgi_redirectf("%s%T%s", g.zHttpsURL, P("PATH_INFO"), zQS); | |
| 1383 | + } | |
| 1384 | +} | |
| 1339 | 1385 | |
| 1340 | 1386 | /* |
| 1341 | 1387 | ** Preconditions: |
| 1342 | 1388 | ** |
| 1343 | 1389 | ** * Environment variables are set up according to the CGI standard. |
| @@ -1604,10 +1650,16 @@ | ||
| 1604 | 1650 | /* Special case: If the content mimetype shows that it is "fossil sync" |
| 1605 | 1651 | ** payload, then pretend that the PATH_INFO is /xfer so that we always |
| 1606 | 1652 | ** invoke the sync page. */ |
| 1607 | 1653 | zPathInfo = "/xfer"; |
| 1608 | 1654 | } |
| 1655 | + | |
| 1656 | + /* If the inbound request is unencrypted and if the redirect-to-https | |
| 1657 | + ** setting is 2 or more, then immediately redirect the equivalent HTTPS | |
| 1658 | + ** URI. | |
| 1659 | + */ | |
| 1660 | + fossil_redirect_to_https_if_needed(2); | |
| 1609 | 1661 | |
| 1610 | 1662 | /* Use the first element of PATH_INFO as the page name |
| 1611 | 1663 | ** and deliver the appropriate page back to the user. |
| 1612 | 1664 | */ |
| 1613 | 1665 | set_base_url(0); |
| 1614 | 1666 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -1334,10 +1334,56 @@ | |
| 1334 | } |
| 1335 | #endif |
| 1336 | db_panic_close(); |
| 1337 | exit(1); |
| 1338 | } |
| 1339 | |
| 1340 | /* |
| 1341 | ** Preconditions: |
| 1342 | ** |
| 1343 | ** * Environment variables are set up according to the CGI standard. |
| @@ -1604,10 +1650,16 @@ | |
| 1604 | /* Special case: If the content mimetype shows that it is "fossil sync" |
| 1605 | ** payload, then pretend that the PATH_INFO is /xfer so that we always |
| 1606 | ** invoke the sync page. */ |
| 1607 | zPathInfo = "/xfer"; |
| 1608 | } |
| 1609 | |
| 1610 | /* Use the first element of PATH_INFO as the page name |
| 1611 | ** and deliver the appropriate page back to the user. |
| 1612 | */ |
| 1613 | set_base_url(0); |
| 1614 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -1334,10 +1334,56 @@ | |
| 1334 | } |
| 1335 | #endif |
| 1336 | db_panic_close(); |
| 1337 | exit(1); |
| 1338 | } |
| 1339 | |
| 1340 | /* |
| 1341 | ** Return true if it is appropriate to redirect requests to HTTPS. |
| 1342 | ** |
| 1343 | ** Redirect to https is appropriate if all of the above are true: |
| 1344 | ** (1) The redirect-to-https flag has a valud of iLevel or greater. |
| 1345 | ** (2) The current connection is http, not https or ssh |
| 1346 | ** (3) The sslNotAvailable flag is clear |
| 1347 | */ |
| 1348 | int fossil_wants_https(int iLevel){ |
| 1349 | if( g.sslNotAvailable ) return 0; |
| 1350 | if( db_get_int("redirect-to-https",0)<iLevel ) return 0; |
| 1351 | if( P("HTTPS")!=0 ) return 0; |
| 1352 | return 1; |
| 1353 | } |
| 1354 | |
| 1355 | /* |
| 1356 | ** Redirect to the equivalent HTTPS request if the current connection is |
| 1357 | ** insecure and if the redirect-to-https flag greater than or equal to |
| 1358 | ** iLevel. iLevel is 1 for /login pages and 2 for every other page. |
| 1359 | */ |
| 1360 | void fossil_redirect_to_https_if_needed(int iLevel){ |
| 1361 | if( fossil_wants_https(iLevel) ){ |
| 1362 | const char *zQS = P("QUERY_STRING"); |
| 1363 | if( P("redir")!=0 ){ |
| 1364 | style_header("Insecure Connection"); |
| 1365 | @ <h1>Unable To Establish An Encrypted Connection</h1> |
| 1366 | @ <p>This website requires an encrypted connection. |
| 1367 | @ The current connection is not encrypted |
| 1368 | @ across the entire route between your browser and the server. |
| 1369 | @ An attempt was made to redirect to %h(g.zHttpsURL) but |
| 1370 | @ the connection is still insecure even after the redirect.</p> |
| 1371 | @ <p>This is probably some kind of configuration problem. Please |
| 1372 | @ contact your sysadmin.</p> |
| 1373 | @ <p>Sorry it did not work out.</p> |
| 1374 | style_footer(); |
| 1375 | return; |
| 1376 | } |
| 1377 | if( zQS==0 ){ |
| 1378 | zQS = "?redir=1"; |
| 1379 | }else if( zQS[0]!=0 ){ |
| 1380 | zQS = mprintf("?%s&redir=1", zQS); |
| 1381 | } |
| 1382 | cgi_redirectf("%s%T%s", g.zHttpsURL, P("PATH_INFO"), zQS); |
| 1383 | } |
| 1384 | } |
| 1385 | |
| 1386 | /* |
| 1387 | ** Preconditions: |
| 1388 | ** |
| 1389 | ** * Environment variables are set up according to the CGI standard. |
| @@ -1604,10 +1650,16 @@ | |
| 1650 | /* Special case: If the content mimetype shows that it is "fossil sync" |
| 1651 | ** payload, then pretend that the PATH_INFO is /xfer so that we always |
| 1652 | ** invoke the sync page. */ |
| 1653 | zPathInfo = "/xfer"; |
| 1654 | } |
| 1655 | |
| 1656 | /* If the inbound request is unencrypted and if the redirect-to-https |
| 1657 | ** setting is 2 or more, then immediately redirect the equivalent HTTPS |
| 1658 | ** URI. |
| 1659 | */ |
| 1660 | fossil_redirect_to_https_if_needed(2); |
| 1661 | |
| 1662 | /* Use the first element of PATH_INFO as the page name |
| 1663 | ** and deliver the appropriate page back to the user. |
| 1664 | */ |
| 1665 | set_base_url(0); |
| 1666 |
+16
-8
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -284,11 +284,11 @@ | ||
| 284 | 284 | const char *zLabel, /* The text label on the menu */ |
| 285 | 285 | const char *zVar, /* The corresponding row in the VAR table */ |
| 286 | 286 | const char *zQP, /* The query parameter */ |
| 287 | 287 | const char *zDflt, /* Default value if VAR table entry does not exist */ |
| 288 | 288 | int nChoice, /* Number of choices */ |
| 289 | - const char *const *azChoice /* Choices. 2 per choice: (VAR value, Display) */ | |
| 289 | + const char *const *azChoice /* Choices in pairs (VAR value, Display) */ | |
| 290 | 290 | ){ |
| 291 | 291 | const char *z = db_get(zVar, zDflt); |
| 292 | 292 | const char *zQ = P(zQP); |
| 293 | 293 | int i; |
| 294 | 294 | if( zQ && fossil_strcmp(zQ,z)!=0){ |
| @@ -312,10 +312,15 @@ | ||
| 312 | 312 | ** WEBPAGE: setup_access |
| 313 | 313 | ** |
| 314 | 314 | ** The access-control settings page. Requires Setup privileges. |
| 315 | 315 | */ |
| 316 | 316 | void setup_access(void){ |
| 317 | + static const char * const azRedirectOpts[] = { | |
| 318 | + "0", "Off", | |
| 319 | + "1", "Login Page Only", | |
| 320 | + "2", "All Pages" | |
| 321 | + }; | |
| 317 | 322 | login_check_credentials(); |
| 318 | 323 | if( !g.perm.Setup ){ |
| 319 | 324 | login_needed(0); |
| 320 | 325 | return; |
| 321 | 326 | } |
| @@ -324,18 +329,21 @@ | ||
| 324 | 329 | db_begin_transaction(); |
| 325 | 330 | @ <form action="%s(g.zTop)/setup_access" method="post"><div> |
| 326 | 331 | login_insert_csrf_secret(); |
| 327 | 332 | @ <input type="submit" name="submit" value="Apply Changes" /></p> |
| 328 | 333 | @ <hr /> |
| 329 | - onoff_attribute("Redirect to HTTPS on the Login page", | |
| 330 | - "redirect-to-https", "redirhttps", 0, 0); | |
| 331 | - @ <p>When selected, force the use of HTTPS for the Login page. | |
| 332 | - @ <p>Details: When enabled, this option causes the $secureurl TH1 | |
| 334 | + multiple_choice_attribute("Redirect to HTTPS", | |
| 335 | + "redirect-to-https", "redirhttps", "0", | |
| 336 | + count(azRedirectOpts)/2, azRedirectOpts); | |
| 337 | + @ <p>Force the use of HTTPS by redirecting to HTTPS when an | |
| 338 | + @ unencrypted request is received. This feature can be enabled | |
| 339 | + @ for the Login page only, or for all pages. | |
| 340 | + @ <p>Further details: When enabled, this option causes the $secureurl TH1 | |
| 333 | 341 | @ variable is set to an "https:" variant of $baseurl. Otherwise, |
| 334 | - @ $secureurl is just an alias for $baseurl. Also when enabled, the | |
| 335 | - @ Login page redirects to https if accessed via http. | |
| 336 | - @ (Property: "redirect-to-https") | |
| 342 | + @ $secureurl is just an alias for $baseurl. | |
| 343 | + @ (Property: "redirect-to-https". "0" for off, "1" for Login page only, | |
| 344 | + @ "2" otherwise.) | |
| 337 | 345 | @ <hr /> |
| 338 | 346 | onoff_attribute("Require password for local access", |
| 339 | 347 | "localauth", "localauth", 0, 0); |
| 340 | 348 | @ <p>When enabled, the password sign-in is always required for |
| 341 | 349 | @ web access. When disabled, unrestricted web access from 127.0.0.1 |
| 342 | 350 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -284,11 +284,11 @@ | |
| 284 | const char *zLabel, /* The text label on the menu */ |
| 285 | const char *zVar, /* The corresponding row in the VAR table */ |
| 286 | const char *zQP, /* The query parameter */ |
| 287 | const char *zDflt, /* Default value if VAR table entry does not exist */ |
| 288 | int nChoice, /* Number of choices */ |
| 289 | const char *const *azChoice /* Choices. 2 per choice: (VAR value, Display) */ |
| 290 | ){ |
| 291 | const char *z = db_get(zVar, zDflt); |
| 292 | const char *zQ = P(zQP); |
| 293 | int i; |
| 294 | if( zQ && fossil_strcmp(zQ,z)!=0){ |
| @@ -312,10 +312,15 @@ | |
| 312 | ** WEBPAGE: setup_access |
| 313 | ** |
| 314 | ** The access-control settings page. Requires Setup privileges. |
| 315 | */ |
| 316 | void setup_access(void){ |
| 317 | login_check_credentials(); |
| 318 | if( !g.perm.Setup ){ |
| 319 | login_needed(0); |
| 320 | return; |
| 321 | } |
| @@ -324,18 +329,21 @@ | |
| 324 | db_begin_transaction(); |
| 325 | @ <form action="%s(g.zTop)/setup_access" method="post"><div> |
| 326 | login_insert_csrf_secret(); |
| 327 | @ <input type="submit" name="submit" value="Apply Changes" /></p> |
| 328 | @ <hr /> |
| 329 | onoff_attribute("Redirect to HTTPS on the Login page", |
| 330 | "redirect-to-https", "redirhttps", 0, 0); |
| 331 | @ <p>When selected, force the use of HTTPS for the Login page. |
| 332 | @ <p>Details: When enabled, this option causes the $secureurl TH1 |
| 333 | @ variable is set to an "https:" variant of $baseurl. Otherwise, |
| 334 | @ $secureurl is just an alias for $baseurl. Also when enabled, the |
| 335 | @ Login page redirects to https if accessed via http. |
| 336 | @ (Property: "redirect-to-https") |
| 337 | @ <hr /> |
| 338 | onoff_attribute("Require password for local access", |
| 339 | "localauth", "localauth", 0, 0); |
| 340 | @ <p>When enabled, the password sign-in is always required for |
| 341 | @ web access. When disabled, unrestricted web access from 127.0.0.1 |
| 342 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -284,11 +284,11 @@ | |
| 284 | const char *zLabel, /* The text label on the menu */ |
| 285 | const char *zVar, /* The corresponding row in the VAR table */ |
| 286 | const char *zQP, /* The query parameter */ |
| 287 | const char *zDflt, /* Default value if VAR table entry does not exist */ |
| 288 | int nChoice, /* Number of choices */ |
| 289 | const char *const *azChoice /* Choices in pairs (VAR value, Display) */ |
| 290 | ){ |
| 291 | const char *z = db_get(zVar, zDflt); |
| 292 | const char *zQ = P(zQP); |
| 293 | int i; |
| 294 | if( zQ && fossil_strcmp(zQ,z)!=0){ |
| @@ -312,10 +312,15 @@ | |
| 312 | ** WEBPAGE: setup_access |
| 313 | ** |
| 314 | ** The access-control settings page. Requires Setup privileges. |
| 315 | */ |
| 316 | void setup_access(void){ |
| 317 | static const char * const azRedirectOpts[] = { |
| 318 | "0", "Off", |
| 319 | "1", "Login Page Only", |
| 320 | "2", "All Pages" |
| 321 | }; |
| 322 | login_check_credentials(); |
| 323 | if( !g.perm.Setup ){ |
| 324 | login_needed(0); |
| 325 | return; |
| 326 | } |
| @@ -324,18 +329,21 @@ | |
| 329 | db_begin_transaction(); |
| 330 | @ <form action="%s(g.zTop)/setup_access" method="post"><div> |
| 331 | login_insert_csrf_secret(); |
| 332 | @ <input type="submit" name="submit" value="Apply Changes" /></p> |
| 333 | @ <hr /> |
| 334 | multiple_choice_attribute("Redirect to HTTPS", |
| 335 | "redirect-to-https", "redirhttps", "0", |
| 336 | count(azRedirectOpts)/2, azRedirectOpts); |
| 337 | @ <p>Force the use of HTTPS by redirecting to HTTPS when an |
| 338 | @ unencrypted request is received. This feature can be enabled |
| 339 | @ for the Login page only, or for all pages. |
| 340 | @ <p>Further details: When enabled, this option causes the $secureurl TH1 |
| 341 | @ variable is set to an "https:" variant of $baseurl. Otherwise, |
| 342 | @ $secureurl is just an alias for $baseurl. |
| 343 | @ (Property: "redirect-to-https". "0" for off, "1" for Login page only, |
| 344 | @ "2" otherwise.) |
| 345 | @ <hr /> |
| 346 | onoff_attribute("Require password for local access", |
| 347 | "localauth", "localauth", 0, 0); |
| 348 | @ <p>When enabled, the password sign-in is always required for |
| 349 | @ web access. When disabled, unrestricted web access from 127.0.0.1 |
| 350 |
+2
-2
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -412,11 +412,11 @@ | ||
| 412 | 412 | Th_Store("nonce", style_nonce()); |
| 413 | 413 | Th_Store("project_name", db_get("project-name","Unnamed Fossil Project")); |
| 414 | 414 | Th_Store("project_description", db_get("project-description","")); |
| 415 | 415 | if( zTitle ) Th_Store("title", zTitle); |
| 416 | 416 | Th_Store("baseurl", g.zBaseURL); |
| 417 | - Th_Store("secureurl", login_wants_https_redirect()? g.zHttpsURL: g.zBaseURL); | |
| 417 | + Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL); | |
| 418 | 418 | Th_Store("home", g.zTop); |
| 419 | 419 | Th_Store("index_page", db_get("index-page","/home")); |
| 420 | 420 | if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath); |
| 421 | 421 | Th_Store("current_page", local_zCurrentPage); |
| 422 | 422 | Th_Store("csrf_token", g.zCsrfToken); |
| @@ -914,11 +914,11 @@ | ||
| 914 | 914 | |
| 915 | 915 | /* Process through TH1 in order to give an opportunity to substitute |
| 916 | 916 | ** variables such as $baseurl. |
| 917 | 917 | */ |
| 918 | 918 | Th_Store("baseurl", g.zBaseURL); |
| 919 | - Th_Store("secureurl", login_wants_https_redirect()? g.zHttpsURL: g.zBaseURL); | |
| 919 | + Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL); | |
| 920 | 920 | Th_Store("home", g.zTop); |
| 921 | 921 | image_url_var("logo"); |
| 922 | 922 | image_url_var("background"); |
| 923 | 923 | Th_Render(blob_str(&css)); |
| 924 | 924 | |
| 925 | 925 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -412,11 +412,11 @@ | |
| 412 | Th_Store("nonce", style_nonce()); |
| 413 | Th_Store("project_name", db_get("project-name","Unnamed Fossil Project")); |
| 414 | Th_Store("project_description", db_get("project-description","")); |
| 415 | if( zTitle ) Th_Store("title", zTitle); |
| 416 | Th_Store("baseurl", g.zBaseURL); |
| 417 | Th_Store("secureurl", login_wants_https_redirect()? g.zHttpsURL: g.zBaseURL); |
| 418 | Th_Store("home", g.zTop); |
| 419 | Th_Store("index_page", db_get("index-page","/home")); |
| 420 | if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath); |
| 421 | Th_Store("current_page", local_zCurrentPage); |
| 422 | Th_Store("csrf_token", g.zCsrfToken); |
| @@ -914,11 +914,11 @@ | |
| 914 | |
| 915 | /* Process through TH1 in order to give an opportunity to substitute |
| 916 | ** variables such as $baseurl. |
| 917 | */ |
| 918 | Th_Store("baseurl", g.zBaseURL); |
| 919 | Th_Store("secureurl", login_wants_https_redirect()? g.zHttpsURL: g.zBaseURL); |
| 920 | Th_Store("home", g.zTop); |
| 921 | image_url_var("logo"); |
| 922 | image_url_var("background"); |
| 923 | Th_Render(blob_str(&css)); |
| 924 | |
| 925 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -412,11 +412,11 @@ | |
| 412 | Th_Store("nonce", style_nonce()); |
| 413 | Th_Store("project_name", db_get("project-name","Unnamed Fossil Project")); |
| 414 | Th_Store("project_description", db_get("project-description","")); |
| 415 | if( zTitle ) Th_Store("title", zTitle); |
| 416 | Th_Store("baseurl", g.zBaseURL); |
| 417 | Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL); |
| 418 | Th_Store("home", g.zTop); |
| 419 | Th_Store("index_page", db_get("index-page","/home")); |
| 420 | if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath); |
| 421 | Th_Store("current_page", local_zCurrentPage); |
| 422 | Th_Store("csrf_token", g.zCsrfToken); |
| @@ -914,11 +914,11 @@ | |
| 914 | |
| 915 | /* Process through TH1 in order to give an opportunity to substitute |
| 916 | ** variables such as $baseurl. |
| 917 | */ |
| 918 | Th_Store("baseurl", g.zBaseURL); |
| 919 | Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL); |
| 920 | Th_Store("home", g.zTop); |
| 921 | image_url_var("logo"); |
| 922 | image_url_var("background"); |
| 923 | Th_Render(blob_str(&css)); |
| 924 | |
| 925 |