Fossil SCM
The allow-symlinks setting is no longer versionable and is off by default. The allow-symlinks setting no longer propagates with a clone. The help text for allow-symlinks discourages its use. There is a new --symlink flag on "fossil open" to permit the use of symlinks on an open, for the adventurous. Ticket [f9831fdef1d4edcc].
Commit
ff98dd5af61aef30ca4a18c320f3850f80d708fcf11dc8c0154c47f4f5e98f21
Parent
fb41384045cb639…
5 files changed
-4
-1
+28
-66
-2
-1
-4
| --- src/checkin.c | ||
| +++ src/checkin.c | ||
| @@ -856,12 +856,10 @@ | ||
| 856 | 856 | |
| 857 | 857 | if( zIgnoreFlag==0 ){ |
| 858 | 858 | zIgnoreFlag = db_get("ignore-glob", 0); |
| 859 | 859 | } |
| 860 | 860 | pIgnore = glob_create(zIgnoreFlag); |
| 861 | - /* Always consider symlinks. */ | |
| 862 | - g.allowSymlinks = db_allow_symlinks_by_default(); | |
| 863 | 861 | locate_unmanaged_files(g.argc-2, g.argv+2, scanFlags, pIgnore); |
| 864 | 862 | glob_free(pIgnore); |
| 865 | 863 | |
| 866 | 864 | blob_zero(&report); |
| 867 | 865 | status_report(&report, flags); |
| @@ -1015,12 +1013,10 @@ | ||
| 1015 | 1013 | verify_all_options(); |
| 1016 | 1014 | pIgnore = glob_create(zIgnoreFlag); |
| 1017 | 1015 | pKeep = glob_create(zKeepFlag); |
| 1018 | 1016 | pClean = glob_create(zCleanFlag); |
| 1019 | 1017 | nRoot = (int)strlen(g.zLocalRoot); |
| 1020 | - /* Always consider symlinks. */ | |
| 1021 | - g.allowSymlinks = db_allow_symlinks_by_default(); | |
| 1022 | 1018 | if( !dirsOnlyFlag ){ |
| 1023 | 1019 | Stmt q; |
| 1024 | 1020 | Blob repo; |
| 1025 | 1021 | if( !dryRunFlag && !disableUndo ) undo_begin(); |
| 1026 | 1022 | locate_unmanaged_files(g.argc-2, g.argv+2, scanFlags, pIgnore); |
| 1027 | 1023 |
| --- src/checkin.c | |
| +++ src/checkin.c | |
| @@ -856,12 +856,10 @@ | |
| 856 | |
| 857 | if( zIgnoreFlag==0 ){ |
| 858 | zIgnoreFlag = db_get("ignore-glob", 0); |
| 859 | } |
| 860 | pIgnore = glob_create(zIgnoreFlag); |
| 861 | /* Always consider symlinks. */ |
| 862 | g.allowSymlinks = db_allow_symlinks_by_default(); |
| 863 | locate_unmanaged_files(g.argc-2, g.argv+2, scanFlags, pIgnore); |
| 864 | glob_free(pIgnore); |
| 865 | |
| 866 | blob_zero(&report); |
| 867 | status_report(&report, flags); |
| @@ -1015,12 +1013,10 @@ | |
| 1015 | verify_all_options(); |
| 1016 | pIgnore = glob_create(zIgnoreFlag); |
| 1017 | pKeep = glob_create(zKeepFlag); |
| 1018 | pClean = glob_create(zCleanFlag); |
| 1019 | nRoot = (int)strlen(g.zLocalRoot); |
| 1020 | /* Always consider symlinks. */ |
| 1021 | g.allowSymlinks = db_allow_symlinks_by_default(); |
| 1022 | if( !dirsOnlyFlag ){ |
| 1023 | Stmt q; |
| 1024 | Blob repo; |
| 1025 | if( !dryRunFlag && !disableUndo ) undo_begin(); |
| 1026 | locate_unmanaged_files(g.argc-2, g.argv+2, scanFlags, pIgnore); |
| 1027 |
| --- src/checkin.c | |
| +++ src/checkin.c | |
| @@ -856,12 +856,10 @@ | |
| 856 | |
| 857 | if( zIgnoreFlag==0 ){ |
| 858 | zIgnoreFlag = db_get("ignore-glob", 0); |
| 859 | } |
| 860 | pIgnore = glob_create(zIgnoreFlag); |
| 861 | locate_unmanaged_files(g.argc-2, g.argv+2, scanFlags, pIgnore); |
| 862 | glob_free(pIgnore); |
| 863 | |
| 864 | blob_zero(&report); |
| 865 | status_report(&report, flags); |
| @@ -1015,12 +1013,10 @@ | |
| 1013 | verify_all_options(); |
| 1014 | pIgnore = glob_create(zIgnoreFlag); |
| 1015 | pKeep = glob_create(zKeepFlag); |
| 1016 | pClean = glob_create(zCleanFlag); |
| 1017 | nRoot = (int)strlen(g.zLocalRoot); |
| 1018 | if( !dirsOnlyFlag ){ |
| 1019 | Stmt q; |
| 1020 | Blob repo; |
| 1021 | if( !dryRunFlag && !disableUndo ) undo_begin(); |
| 1022 | locate_unmanaged_files(g.argc-2, g.argv+2, scanFlags, pIgnore); |
| 1023 |
-1
| --- src/configure.c | ||
| +++ src/configure.c | ||
| @@ -143,11 +143,10 @@ | ||
| 143 | 143 | { "keep-glob", CONFIGSET_PROJ }, |
| 144 | 144 | { "crlf-glob", CONFIGSET_PROJ }, |
| 145 | 145 | { "crnl-glob", CONFIGSET_PROJ }, |
| 146 | 146 | { "encoding-glob", CONFIGSET_PROJ }, |
| 147 | 147 | { "empty-dirs", CONFIGSET_PROJ }, |
| 148 | - { "allow-symlinks", CONFIGSET_PROJ }, | |
| 149 | 148 | { "dotfiles", CONFIGSET_PROJ }, |
| 150 | 149 | { "parent-project-code", CONFIGSET_PROJ }, |
| 151 | 150 | { "parent-project-name", CONFIGSET_PROJ }, |
| 152 | 151 | { "hash-policy", CONFIGSET_PROJ }, |
| 153 | 152 | { "comment-format", CONFIGSET_PROJ }, |
| 154 | 153 |
| --- src/configure.c | |
| +++ src/configure.c | |
| @@ -143,11 +143,10 @@ | |
| 143 | { "keep-glob", CONFIGSET_PROJ }, |
| 144 | { "crlf-glob", CONFIGSET_PROJ }, |
| 145 | { "crnl-glob", CONFIGSET_PROJ }, |
| 146 | { "encoding-glob", CONFIGSET_PROJ }, |
| 147 | { "empty-dirs", CONFIGSET_PROJ }, |
| 148 | { "allow-symlinks", CONFIGSET_PROJ }, |
| 149 | { "dotfiles", CONFIGSET_PROJ }, |
| 150 | { "parent-project-code", CONFIGSET_PROJ }, |
| 151 | { "parent-project-name", CONFIGSET_PROJ }, |
| 152 | { "hash-policy", CONFIGSET_PROJ }, |
| 153 | { "comment-format", CONFIGSET_PROJ }, |
| 154 |
| --- src/configure.c | |
| +++ src/configure.c | |
| @@ -143,11 +143,10 @@ | |
| 143 | { "keep-glob", CONFIGSET_PROJ }, |
| 144 | { "crlf-glob", CONFIGSET_PROJ }, |
| 145 | { "crnl-glob", CONFIGSET_PROJ }, |
| 146 | { "encoding-glob", CONFIGSET_PROJ }, |
| 147 | { "empty-dirs", CONFIGSET_PROJ }, |
| 148 | { "dotfiles", CONFIGSET_PROJ }, |
| 149 | { "parent-project-code", CONFIGSET_PROJ }, |
| 150 | { "parent-project-name", CONFIGSET_PROJ }, |
| 151 | { "hash-policy", CONFIGSET_PROJ }, |
| 152 | { "comment-format", CONFIGSET_PROJ }, |
| 153 |
M
src/db.c
+28
-66
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -1823,22 +1823,10 @@ | ||
| 1823 | 1823 | } |
| 1824 | 1824 | } |
| 1825 | 1825 | return zRepo; |
| 1826 | 1826 | } |
| 1827 | 1827 | |
| 1828 | -/* | |
| 1829 | -** Returns non-zero if the default value for the "allow-symlinks" setting | |
| 1830 | -** is "on". When on Windows, this always returns false. | |
| 1831 | -*/ | |
| 1832 | -int db_allow_symlinks_by_default(void){ | |
| 1833 | -#if defined(_WIN32) | |
| 1834 | - return 0; | |
| 1835 | -#else | |
| 1836 | - return 1; | |
| 1837 | -#endif | |
| 1838 | -} | |
| 1839 | - | |
| 1840 | 1828 | /* |
| 1841 | 1829 | ** Returns non-zero if support for symlinks is currently enabled. |
| 1842 | 1830 | */ |
| 1843 | 1831 | int db_allow_symlinks(void){ |
| 1844 | 1832 | return g.allowSymlinks; |
| @@ -1880,13 +1868,14 @@ | ||
| 1880 | 1868 | g.zRepositoryName = mprintf("%s", zDbName); |
| 1881 | 1869 | db_open_or_attach(g.zRepositoryName, "repository"); |
| 1882 | 1870 | g.repositoryOpen = 1; |
| 1883 | 1871 | sqlite3_file_control(g.db, "repository", SQLITE_FCNTL_DATA_VERSION, |
| 1884 | 1872 | &g.iRepoDataVers); |
| 1873 | + | |
| 1885 | 1874 | /* Cache "allow-symlinks" option, because we'll need it on every stat call */ |
| 1886 | - g.allowSymlinks = db_get_boolean("allow-symlinks", | |
| 1887 | - db_allow_symlinks_by_default()); | |
| 1875 | + g.allowSymlinks = db_get_boolean("allow-symlinks",0); | |
| 1876 | + | |
| 1888 | 1877 | g.zAuxSchema = db_get("aux-schema",""); |
| 1889 | 1878 | g.eHashPolicy = db_get_int("hash-policy",-1); |
| 1890 | 1879 | if( g.eHashPolicy<0 ){ |
| 1891 | 1880 | g.eHashPolicy = hname_default_policy(); |
| 1892 | 1881 | db_set_int("hash-policy", g.eHashPolicy, 0); |
| @@ -3158,10 +3147,16 @@ | ||
| 3158 | 3147 | ** --repodir DIR If REPOSITORY is a URI that will be cloned, store |
| 3159 | 3148 | ** the clone in DIR rather than in "." |
| 3160 | 3149 | ** --setmtime Set timestamps of all files to match their SCM-side |
| 3161 | 3150 | ** times (the timestamp of the last checkin which modified |
| 3162 | 3151 | ** them). |
| 3152 | +** --symlinks Allow the use of symbolic links when expanding files | |
| 3153 | +** in this check-out, overriding the global allow-symlinks | |
| 3154 | +** setting (which default to "off"). CAUTION: This option | |
| 3155 | +** might allow a malicious repository to overwrite files | |
| 3156 | +** outside of the checkout directory. This option is a | |
| 3157 | +** security risk and its use is discouraged. | |
| 3163 | 3158 | ** --workdir DIR Use DIR as the working directory instead of ".". The DIR |
| 3164 | 3159 | ** directory is created if it does not exist. |
| 3165 | 3160 | ** |
| 3166 | 3161 | ** See also: [[close]], [[clone]] |
| 3167 | 3162 | */ |
| @@ -3168,11 +3163,11 @@ | ||
| 3168 | 3163 | void cmd_open(void){ |
| 3169 | 3164 | int emptyFlag; |
| 3170 | 3165 | int keepFlag; |
| 3171 | 3166 | int forceMissingFlag; |
| 3172 | 3167 | int allowNested; |
| 3173 | - int allowSymlinks; | |
| 3168 | + int allowSymlinks = 0; | |
| 3174 | 3169 | int setmtimeFlag; /* --setmtime. Set mtimes on files */ |
| 3175 | 3170 | int bForce = 0; /* --force. Open even if non-empty dir */ |
| 3176 | 3171 | static char *azNewArgv[] = { 0, "checkout", "--prompt", 0, 0, 0, 0 }; |
| 3177 | 3172 | const char *zWorkDir; /* --workdir value */ |
| 3178 | 3173 | const char *zRepo = 0; /* Name of the repository file */ |
| @@ -3187,10 +3182,11 @@ | ||
| 3187 | 3182 | allowNested = find_option("nested",0,0)!=0; |
| 3188 | 3183 | setmtimeFlag = find_option("setmtime",0,0)!=0; |
| 3189 | 3184 | zWorkDir = find_option("workdir",0,1); |
| 3190 | 3185 | zRepoDir = find_option("repodir",0,1); |
| 3191 | 3186 | bForce = find_option("force",0,0)!=0; |
| 3187 | + if( find_option("symlinks",0,0)!=0 ) allowSymlinks = 1; | |
| 3192 | 3188 | zPwd = file_getcwd(0,0); |
| 3193 | 3189 | |
| 3194 | 3190 | |
| 3195 | 3191 | /* We should be done with options.. */ |
| 3196 | 3192 | verify_all_options(); |
| @@ -3279,23 +3275,10 @@ | ||
| 3279 | 3275 | }else if( db_exists("SELECT 1 FROM event WHERE type='ci'") ){ |
| 3280 | 3276 | g.zOpenRevision = db_get("main-branch", 0); |
| 3281 | 3277 | } |
| 3282 | 3278 | } |
| 3283 | 3279 | |
| 3284 | - if( g.zOpenRevision ){ | |
| 3285 | - /* Since the repository is open and we know the revision now, | |
| 3286 | - ** refresh the allow-symlinks flag. Since neither the local | |
| 3287 | - ** checkout nor the configuration database are open at this | |
| 3288 | - ** point, this should always return the versioned setting, | |
| 3289 | - ** if any, or the default value, which is negative one. The | |
| 3290 | - ** value negative one, in this context, means that the code | |
| 3291 | - ** below should fallback to using the setting value from the | |
| 3292 | - ** repository or global configuration databases only. */ | |
| 3293 | - allowSymlinks = db_get_versioned_boolean("allow-symlinks", -1); | |
| 3294 | - }else{ | |
| 3295 | - allowSymlinks = -1; /* Use non-versioned settings only. */ | |
| 3296 | - } | |
| 3297 | 3280 | |
| 3298 | 3281 | #if defined(_WIN32) || defined(__CYGWIN__) |
| 3299 | 3282 | # define LOCALDB_NAME "./_FOSSIL_" |
| 3300 | 3283 | #else |
| 3301 | 3284 | # define LOCALDB_NAME "./.fslckout" |
| @@ -3305,26 +3288,11 @@ | ||
| 3305 | 3288 | "COMMIT; PRAGMA journal_mode=WAL; BEGIN;", |
| 3306 | 3289 | #endif |
| 3307 | 3290 | (char*)0); |
| 3308 | 3291 | db_delete_on_failure(LOCALDB_NAME); |
| 3309 | 3292 | db_open_local(0); |
| 3310 | - if( allowSymlinks>=0 ){ | |
| 3311 | - /* Use the value from the versioned setting, which was read | |
| 3312 | - ** prior to opening the local checkout (i.e. which is most | |
| 3313 | - ** likely empty and does not actually contain any versioned | |
| 3314 | - ** setting files yet). Normally, this value would be given | |
| 3315 | - ** first priority within db_get_boolean(); however, this is | |
| 3316 | - ** a special case because we know the on-disk files may not | |
| 3317 | - ** exist yet. */ | |
| 3318 | - g.allowSymlinks = allowSymlinks; | |
| 3319 | - }else{ | |
| 3320 | - /* Since the local checkout may not have any files at this | |
| 3321 | - ** point, this will probably be the setting value from the | |
| 3322 | - ** repository or global configuration databases. */ | |
| 3323 | - g.allowSymlinks = db_get_boolean("allow-symlinks", | |
| 3324 | - db_allow_symlinks_by_default()); | |
| 3325 | - } | |
| 3293 | + if( allowSymlinks ) g.allowSymlinks = 1; | |
| 3326 | 3294 | db_lset("repository", zRepo); |
| 3327 | 3295 | db_record_repository_filename(zRepo); |
| 3328 | 3296 | db_set_checkout(0); |
| 3329 | 3297 | azNewArgv[0] = g.argv[0]; |
| 3330 | 3298 | g.argv = azNewArgv; |
| @@ -3432,32 +3400,26 @@ | ||
| 3432 | 3400 | ** SETTING: admin-log boolean default=off |
| 3433 | 3401 | ** |
| 3434 | 3402 | ** When the admin-log setting is enabled, configuration changes are recorded |
| 3435 | 3403 | ** in the "admin_log" table of the repository. |
| 3436 | 3404 | */ |
| 3437 | -#if defined(_WIN32) | |
| 3438 | -/* | |
| 3439 | -** SETTING: allow-symlinks boolean default=off versionable | |
| 3440 | -** | |
| 3441 | -** When allow-symlinks is OFF, symbolic links in the repository are followed | |
| 3442 | -** and treated no differently from real files. When allow-symlinks is ON, | |
| 3443 | -** the object to which the symbolic link points is ignored, and the content | |
| 3444 | -** of the symbolic link that is stored in the repository is the name of the | |
| 3445 | -** object to which the symbolic link points. | |
| 3446 | -*/ | |
| 3447 | -#endif | |
| 3448 | -#if !defined(_WIN32) | |
| 3449 | -/* | |
| 3450 | -** SETTING: allow-symlinks boolean default=on versionable | |
| 3451 | -** | |
| 3452 | -** When allow-symlinks is OFF, symbolic links in the repository are followed | |
| 3453 | -** and treated no differently from real files. When allow-symlinks is ON, | |
| 3454 | -** the object to which the symbolic link points is ignored, and the content | |
| 3455 | -** of the symbolic link that is stored in the repository is the name of the | |
| 3456 | -** object to which the symbolic link points. | |
| 3457 | -*/ | |
| 3458 | -#endif | |
| 3405 | +/* | |
| 3406 | +** SETTING: allow-symlinks boolean default=off | |
| 3407 | +** | |
| 3408 | +** When allow-symlinks is OFF (which is the default and recommended setting) | |
| 3409 | +** symbolic links a treated like text files that contain a single line of | |
| 3410 | +** content which is the name of their target. If allow-symlinks is ON, | |
| 3411 | +** the symbolic links are actually followed. | |
| 3412 | +** | |
| 3413 | +** The use of symbolic links is dangerous. If you checkout a maliciously | |
| 3414 | +** crafted checkin that contains symbolic links, it is possible that files | |
| 3415 | +** outside of the working directory might be overwritten. | |
| 3416 | +** | |
| 3417 | +** Keep this setting OFF unless you have a very good reason to turn it | |
| 3418 | +** on and you implicitly trust the integrity of the repositories you | |
| 3419 | +** open. | |
| 3420 | +*/ | |
| 3459 | 3421 | /* |
| 3460 | 3422 | ** SETTING: auto-captcha boolean default=on variable=autocaptcha |
| 3461 | 3423 | ** If enabled, the /login page provides a button that will automatically |
| 3462 | 3424 | ** fill in the captcha password. This makes things easier for human users, |
| 3463 | 3425 | ** at the expense of also making logins easier for malicious robots. |
| 3464 | 3426 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1823,22 +1823,10 @@ | |
| 1823 | } |
| 1824 | } |
| 1825 | return zRepo; |
| 1826 | } |
| 1827 | |
| 1828 | /* |
| 1829 | ** Returns non-zero if the default value for the "allow-symlinks" setting |
| 1830 | ** is "on". When on Windows, this always returns false. |
| 1831 | */ |
| 1832 | int db_allow_symlinks_by_default(void){ |
| 1833 | #if defined(_WIN32) |
| 1834 | return 0; |
| 1835 | #else |
| 1836 | return 1; |
| 1837 | #endif |
| 1838 | } |
| 1839 | |
| 1840 | /* |
| 1841 | ** Returns non-zero if support for symlinks is currently enabled. |
| 1842 | */ |
| 1843 | int db_allow_symlinks(void){ |
| 1844 | return g.allowSymlinks; |
| @@ -1880,13 +1868,14 @@ | |
| 1880 | g.zRepositoryName = mprintf("%s", zDbName); |
| 1881 | db_open_or_attach(g.zRepositoryName, "repository"); |
| 1882 | g.repositoryOpen = 1; |
| 1883 | sqlite3_file_control(g.db, "repository", SQLITE_FCNTL_DATA_VERSION, |
| 1884 | &g.iRepoDataVers); |
| 1885 | /* Cache "allow-symlinks" option, because we'll need it on every stat call */ |
| 1886 | g.allowSymlinks = db_get_boolean("allow-symlinks", |
| 1887 | db_allow_symlinks_by_default()); |
| 1888 | g.zAuxSchema = db_get("aux-schema",""); |
| 1889 | g.eHashPolicy = db_get_int("hash-policy",-1); |
| 1890 | if( g.eHashPolicy<0 ){ |
| 1891 | g.eHashPolicy = hname_default_policy(); |
| 1892 | db_set_int("hash-policy", g.eHashPolicy, 0); |
| @@ -3158,10 +3147,16 @@ | |
| 3158 | ** --repodir DIR If REPOSITORY is a URI that will be cloned, store |
| 3159 | ** the clone in DIR rather than in "." |
| 3160 | ** --setmtime Set timestamps of all files to match their SCM-side |
| 3161 | ** times (the timestamp of the last checkin which modified |
| 3162 | ** them). |
| 3163 | ** --workdir DIR Use DIR as the working directory instead of ".". The DIR |
| 3164 | ** directory is created if it does not exist. |
| 3165 | ** |
| 3166 | ** See also: [[close]], [[clone]] |
| 3167 | */ |
| @@ -3168,11 +3163,11 @@ | |
| 3168 | void cmd_open(void){ |
| 3169 | int emptyFlag; |
| 3170 | int keepFlag; |
| 3171 | int forceMissingFlag; |
| 3172 | int allowNested; |
| 3173 | int allowSymlinks; |
| 3174 | int setmtimeFlag; /* --setmtime. Set mtimes on files */ |
| 3175 | int bForce = 0; /* --force. Open even if non-empty dir */ |
| 3176 | static char *azNewArgv[] = { 0, "checkout", "--prompt", 0, 0, 0, 0 }; |
| 3177 | const char *zWorkDir; /* --workdir value */ |
| 3178 | const char *zRepo = 0; /* Name of the repository file */ |
| @@ -3187,10 +3182,11 @@ | |
| 3187 | allowNested = find_option("nested",0,0)!=0; |
| 3188 | setmtimeFlag = find_option("setmtime",0,0)!=0; |
| 3189 | zWorkDir = find_option("workdir",0,1); |
| 3190 | zRepoDir = find_option("repodir",0,1); |
| 3191 | bForce = find_option("force",0,0)!=0; |
| 3192 | zPwd = file_getcwd(0,0); |
| 3193 | |
| 3194 | |
| 3195 | /* We should be done with options.. */ |
| 3196 | verify_all_options(); |
| @@ -3279,23 +3275,10 @@ | |
| 3279 | }else if( db_exists("SELECT 1 FROM event WHERE type='ci'") ){ |
| 3280 | g.zOpenRevision = db_get("main-branch", 0); |
| 3281 | } |
| 3282 | } |
| 3283 | |
| 3284 | if( g.zOpenRevision ){ |
| 3285 | /* Since the repository is open and we know the revision now, |
| 3286 | ** refresh the allow-symlinks flag. Since neither the local |
| 3287 | ** checkout nor the configuration database are open at this |
| 3288 | ** point, this should always return the versioned setting, |
| 3289 | ** if any, or the default value, which is negative one. The |
| 3290 | ** value negative one, in this context, means that the code |
| 3291 | ** below should fallback to using the setting value from the |
| 3292 | ** repository or global configuration databases only. */ |
| 3293 | allowSymlinks = db_get_versioned_boolean("allow-symlinks", -1); |
| 3294 | }else{ |
| 3295 | allowSymlinks = -1; /* Use non-versioned settings only. */ |
| 3296 | } |
| 3297 | |
| 3298 | #if defined(_WIN32) || defined(__CYGWIN__) |
| 3299 | # define LOCALDB_NAME "./_FOSSIL_" |
| 3300 | #else |
| 3301 | # define LOCALDB_NAME "./.fslckout" |
| @@ -3305,26 +3288,11 @@ | |
| 3305 | "COMMIT; PRAGMA journal_mode=WAL; BEGIN;", |
| 3306 | #endif |
| 3307 | (char*)0); |
| 3308 | db_delete_on_failure(LOCALDB_NAME); |
| 3309 | db_open_local(0); |
| 3310 | if( allowSymlinks>=0 ){ |
| 3311 | /* Use the value from the versioned setting, which was read |
| 3312 | ** prior to opening the local checkout (i.e. which is most |
| 3313 | ** likely empty and does not actually contain any versioned |
| 3314 | ** setting files yet). Normally, this value would be given |
| 3315 | ** first priority within db_get_boolean(); however, this is |
| 3316 | ** a special case because we know the on-disk files may not |
| 3317 | ** exist yet. */ |
| 3318 | g.allowSymlinks = allowSymlinks; |
| 3319 | }else{ |
| 3320 | /* Since the local checkout may not have any files at this |
| 3321 | ** point, this will probably be the setting value from the |
| 3322 | ** repository or global configuration databases. */ |
| 3323 | g.allowSymlinks = db_get_boolean("allow-symlinks", |
| 3324 | db_allow_symlinks_by_default()); |
| 3325 | } |
| 3326 | db_lset("repository", zRepo); |
| 3327 | db_record_repository_filename(zRepo); |
| 3328 | db_set_checkout(0); |
| 3329 | azNewArgv[0] = g.argv[0]; |
| 3330 | g.argv = azNewArgv; |
| @@ -3432,32 +3400,26 @@ | |
| 3432 | ** SETTING: admin-log boolean default=off |
| 3433 | ** |
| 3434 | ** When the admin-log setting is enabled, configuration changes are recorded |
| 3435 | ** in the "admin_log" table of the repository. |
| 3436 | */ |
| 3437 | #if defined(_WIN32) |
| 3438 | /* |
| 3439 | ** SETTING: allow-symlinks boolean default=off versionable |
| 3440 | ** |
| 3441 | ** When allow-symlinks is OFF, symbolic links in the repository are followed |
| 3442 | ** and treated no differently from real files. When allow-symlinks is ON, |
| 3443 | ** the object to which the symbolic link points is ignored, and the content |
| 3444 | ** of the symbolic link that is stored in the repository is the name of the |
| 3445 | ** object to which the symbolic link points. |
| 3446 | */ |
| 3447 | #endif |
| 3448 | #if !defined(_WIN32) |
| 3449 | /* |
| 3450 | ** SETTING: allow-symlinks boolean default=on versionable |
| 3451 | ** |
| 3452 | ** When allow-symlinks is OFF, symbolic links in the repository are followed |
| 3453 | ** and treated no differently from real files. When allow-symlinks is ON, |
| 3454 | ** the object to which the symbolic link points is ignored, and the content |
| 3455 | ** of the symbolic link that is stored in the repository is the name of the |
| 3456 | ** object to which the symbolic link points. |
| 3457 | */ |
| 3458 | #endif |
| 3459 | /* |
| 3460 | ** SETTING: auto-captcha boolean default=on variable=autocaptcha |
| 3461 | ** If enabled, the /login page provides a button that will automatically |
| 3462 | ** fill in the captcha password. This makes things easier for human users, |
| 3463 | ** at the expense of also making logins easier for malicious robots. |
| 3464 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -1823,22 +1823,10 @@ | |
| 1823 | } |
| 1824 | } |
| 1825 | return zRepo; |
| 1826 | } |
| 1827 | |
| 1828 | /* |
| 1829 | ** Returns non-zero if support for symlinks is currently enabled. |
| 1830 | */ |
| 1831 | int db_allow_symlinks(void){ |
| 1832 | return g.allowSymlinks; |
| @@ -1880,13 +1868,14 @@ | |
| 1868 | g.zRepositoryName = mprintf("%s", zDbName); |
| 1869 | db_open_or_attach(g.zRepositoryName, "repository"); |
| 1870 | g.repositoryOpen = 1; |
| 1871 | sqlite3_file_control(g.db, "repository", SQLITE_FCNTL_DATA_VERSION, |
| 1872 | &g.iRepoDataVers); |
| 1873 | |
| 1874 | /* Cache "allow-symlinks" option, because we'll need it on every stat call */ |
| 1875 | g.allowSymlinks = db_get_boolean("allow-symlinks",0); |
| 1876 | |
| 1877 | g.zAuxSchema = db_get("aux-schema",""); |
| 1878 | g.eHashPolicy = db_get_int("hash-policy",-1); |
| 1879 | if( g.eHashPolicy<0 ){ |
| 1880 | g.eHashPolicy = hname_default_policy(); |
| 1881 | db_set_int("hash-policy", g.eHashPolicy, 0); |
| @@ -3158,10 +3147,16 @@ | |
| 3147 | ** --repodir DIR If REPOSITORY is a URI that will be cloned, store |
| 3148 | ** the clone in DIR rather than in "." |
| 3149 | ** --setmtime Set timestamps of all files to match their SCM-side |
| 3150 | ** times (the timestamp of the last checkin which modified |
| 3151 | ** them). |
| 3152 | ** --symlinks Allow the use of symbolic links when expanding files |
| 3153 | ** in this check-out, overriding the global allow-symlinks |
| 3154 | ** setting (which default to "off"). CAUTION: This option |
| 3155 | ** might allow a malicious repository to overwrite files |
| 3156 | ** outside of the checkout directory. This option is a |
| 3157 | ** security risk and its use is discouraged. |
| 3158 | ** --workdir DIR Use DIR as the working directory instead of ".". The DIR |
| 3159 | ** directory is created if it does not exist. |
| 3160 | ** |
| 3161 | ** See also: [[close]], [[clone]] |
| 3162 | */ |
| @@ -3168,11 +3163,11 @@ | |
| 3163 | void cmd_open(void){ |
| 3164 | int emptyFlag; |
| 3165 | int keepFlag; |
| 3166 | int forceMissingFlag; |
| 3167 | int allowNested; |
| 3168 | int allowSymlinks = 0; |
| 3169 | int setmtimeFlag; /* --setmtime. Set mtimes on files */ |
| 3170 | int bForce = 0; /* --force. Open even if non-empty dir */ |
| 3171 | static char *azNewArgv[] = { 0, "checkout", "--prompt", 0, 0, 0, 0 }; |
| 3172 | const char *zWorkDir; /* --workdir value */ |
| 3173 | const char *zRepo = 0; /* Name of the repository file */ |
| @@ -3187,10 +3182,11 @@ | |
| 3182 | allowNested = find_option("nested",0,0)!=0; |
| 3183 | setmtimeFlag = find_option("setmtime",0,0)!=0; |
| 3184 | zWorkDir = find_option("workdir",0,1); |
| 3185 | zRepoDir = find_option("repodir",0,1); |
| 3186 | bForce = find_option("force",0,0)!=0; |
| 3187 | if( find_option("symlinks",0,0)!=0 ) allowSymlinks = 1; |
| 3188 | zPwd = file_getcwd(0,0); |
| 3189 | |
| 3190 | |
| 3191 | /* We should be done with options.. */ |
| 3192 | verify_all_options(); |
| @@ -3279,23 +3275,10 @@ | |
| 3275 | }else if( db_exists("SELECT 1 FROM event WHERE type='ci'") ){ |
| 3276 | g.zOpenRevision = db_get("main-branch", 0); |
| 3277 | } |
| 3278 | } |
| 3279 | |
| 3280 | |
| 3281 | #if defined(_WIN32) || defined(__CYGWIN__) |
| 3282 | # define LOCALDB_NAME "./_FOSSIL_" |
| 3283 | #else |
| 3284 | # define LOCALDB_NAME "./.fslckout" |
| @@ -3305,26 +3288,11 @@ | |
| 3288 | "COMMIT; PRAGMA journal_mode=WAL; BEGIN;", |
| 3289 | #endif |
| 3290 | (char*)0); |
| 3291 | db_delete_on_failure(LOCALDB_NAME); |
| 3292 | db_open_local(0); |
| 3293 | if( allowSymlinks ) g.allowSymlinks = 1; |
| 3294 | db_lset("repository", zRepo); |
| 3295 | db_record_repository_filename(zRepo); |
| 3296 | db_set_checkout(0); |
| 3297 | azNewArgv[0] = g.argv[0]; |
| 3298 | g.argv = azNewArgv; |
| @@ -3432,32 +3400,26 @@ | |
| 3400 | ** SETTING: admin-log boolean default=off |
| 3401 | ** |
| 3402 | ** When the admin-log setting is enabled, configuration changes are recorded |
| 3403 | ** in the "admin_log" table of the repository. |
| 3404 | */ |
| 3405 | /* |
| 3406 | ** SETTING: allow-symlinks boolean default=off |
| 3407 | ** |
| 3408 | ** When allow-symlinks is OFF (which is the default and recommended setting) |
| 3409 | ** symbolic links a treated like text files that contain a single line of |
| 3410 | ** content which is the name of their target. If allow-symlinks is ON, |
| 3411 | ** the symbolic links are actually followed. |
| 3412 | ** |
| 3413 | ** The use of symbolic links is dangerous. If you checkout a maliciously |
| 3414 | ** crafted checkin that contains symbolic links, it is possible that files |
| 3415 | ** outside of the working directory might be overwritten. |
| 3416 | ** |
| 3417 | ** Keep this setting OFF unless you have a very good reason to turn it |
| 3418 | ** on and you implicitly trust the integrity of the repositories you |
| 3419 | ** open. |
| 3420 | */ |
| 3421 | /* |
| 3422 | ** SETTING: auto-captcha boolean default=on variable=autocaptcha |
| 3423 | ** If enabled, the /login page provides a button that will automatically |
| 3424 | ** fill in the captcha password. This makes things easier for human users, |
| 3425 | ** at the expense of also making logins easier for malicious robots. |
| 3426 |
-2
| --- src/file.c | ||
| +++ src/file.c | ||
| @@ -1314,12 +1314,10 @@ | ||
| 1314 | 1314 | Th_OpenConfig(1); |
| 1315 | 1315 | } |
| 1316 | 1316 | db_find_and_open_repository(OPEN_ANY_SCHEMA|OPEN_OK_NOT_FOUND, 0); |
| 1317 | 1317 | fossil_print("filenames_are_case_sensitive() = %d\n", |
| 1318 | 1318 | filenames_are_case_sensitive()); |
| 1319 | - fossil_print("db_allow_symlinks_by_default() = %d\n", | |
| 1320 | - db_allow_symlinks_by_default()); | |
| 1321 | 1319 | if( zAllow ){ |
| 1322 | 1320 | g.allowSymlinks = !is_false(zAllow); |
| 1323 | 1321 | } |
| 1324 | 1322 | fossil_print("db_allow_symlinks() = %d\n", db_allow_symlinks()); |
| 1325 | 1323 | for(i=2; i<g.argc; i++){ |
| 1326 | 1324 |
| --- src/file.c | |
| +++ src/file.c | |
| @@ -1314,12 +1314,10 @@ | |
| 1314 | Th_OpenConfig(1); |
| 1315 | } |
| 1316 | db_find_and_open_repository(OPEN_ANY_SCHEMA|OPEN_OK_NOT_FOUND, 0); |
| 1317 | fossil_print("filenames_are_case_sensitive() = %d\n", |
| 1318 | filenames_are_case_sensitive()); |
| 1319 | fossil_print("db_allow_symlinks_by_default() = %d\n", |
| 1320 | db_allow_symlinks_by_default()); |
| 1321 | if( zAllow ){ |
| 1322 | g.allowSymlinks = !is_false(zAllow); |
| 1323 | } |
| 1324 | fossil_print("db_allow_symlinks() = %d\n", db_allow_symlinks()); |
| 1325 | for(i=2; i<g.argc; i++){ |
| 1326 |
| --- src/file.c | |
| +++ src/file.c | |
| @@ -1314,12 +1314,10 @@ | |
| 1314 | Th_OpenConfig(1); |
| 1315 | } |
| 1316 | db_find_and_open_repository(OPEN_ANY_SCHEMA|OPEN_OK_NOT_FOUND, 0); |
| 1317 | fossil_print("filenames_are_case_sensitive() = %d\n", |
| 1318 | filenames_are_case_sensitive()); |
| 1319 | if( zAllow ){ |
| 1320 | g.allowSymlinks = !is_false(zAllow); |
| 1321 | } |
| 1322 | fossil_print("db_allow_symlinks() = %d\n", db_allow_symlinks()); |
| 1323 | for(i=2; i<g.argc; i++){ |
| 1324 |
-1
| --- src/json_config.c | ||
| +++ src/json_config.c | ||
| @@ -83,11 +83,10 @@ | ||
| 83 | 83 | { "keep-glob", CONFIGSET_PROJ }, |
| 84 | 84 | { "crlf-glob", CONFIGSET_PROJ }, |
| 85 | 85 | { "crnl-glob", CONFIGSET_PROJ }, |
| 86 | 86 | { "encoding-glob", CONFIGSET_PROJ }, |
| 87 | 87 | { "empty-dirs", CONFIGSET_PROJ }, |
| 88 | -{ "allow-symlinks", CONFIGSET_PROJ }, | |
| 89 | 88 | { "dotfiles", CONFIGSET_PROJ }, |
| 90 | 89 | |
| 91 | 90 | { "ticket-table", CONFIGSET_TKT }, |
| 92 | 91 | { "ticket-common", CONFIGSET_TKT }, |
| 93 | 92 | { "ticket-change", CONFIGSET_TKT }, |
| 94 | 93 |
| --- src/json_config.c | |
| +++ src/json_config.c | |
| @@ -83,11 +83,10 @@ | |
| 83 | { "keep-glob", CONFIGSET_PROJ }, |
| 84 | { "crlf-glob", CONFIGSET_PROJ }, |
| 85 | { "crnl-glob", CONFIGSET_PROJ }, |
| 86 | { "encoding-glob", CONFIGSET_PROJ }, |
| 87 | { "empty-dirs", CONFIGSET_PROJ }, |
| 88 | { "allow-symlinks", CONFIGSET_PROJ }, |
| 89 | { "dotfiles", CONFIGSET_PROJ }, |
| 90 | |
| 91 | { "ticket-table", CONFIGSET_TKT }, |
| 92 | { "ticket-common", CONFIGSET_TKT }, |
| 93 | { "ticket-change", CONFIGSET_TKT }, |
| 94 |
| --- src/json_config.c | |
| +++ src/json_config.c | |
| @@ -83,11 +83,10 @@ | |
| 83 | { "keep-glob", CONFIGSET_PROJ }, |
| 84 | { "crlf-glob", CONFIGSET_PROJ }, |
| 85 | { "crnl-glob", CONFIGSET_PROJ }, |
| 86 | { "encoding-glob", CONFIGSET_PROJ }, |
| 87 | { "empty-dirs", CONFIGSET_PROJ }, |
| 88 | { "dotfiles", CONFIGSET_PROJ }, |
| 89 | |
| 90 | { "ticket-table", CONFIGSET_TKT }, |
| 91 | { "ticket-common", CONFIGSET_TKT }, |
| 92 | { "ticket-change", CONFIGSET_TKT }, |
| 93 |