On Wed, Sep 14, 2011 at 2:20 PM, Stephan Beal <sgb...@googlemail.com> wrote:
> On Wed, Sep 14, 2011 at 8:05 PM, Richard Hipp <d...@sqlite.org> wrote: > >> cgi_set_parameter("fossil-ABCDEF", "xxxxxx"); >> > > Great :). i now see cgi_replace_parameter(), which is what i really want > (because the JSON auth info will be processed after fossil has done its > cookie cutting). > To clarify, Fossil uses a single namespace to hold all environment variables, cookies, query parameters, and POST parameters. All of things are name/value pairs, and they all go into a common look-up table. So there is no way in Fossil to ask for the value of a cookie, for example. You have to ask for the value associated with a name, where that name/value might be any of a an environment variable, cookie, query parameter or POST parameter. They all work the same. Note however, that query parameters, POST parameters, and cookies always use lower-case names and environment variables use upper-case names. So there is no way to generate a rogue request that overrides an environment variable using a query parameter, for example. In other words, you cannot do: http://www.fossil-scm.org/fossil/xfer?REMOTE_USER=drh ... hoping to subvert the login mechanism and push content under my name. But you can interchange cookies, query parameters, and POST parameters, and Fossil won't notice. > > Thanks! > > -- > ----- stephan beal > http://wanderinghorse.net/home/stephan/ > > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users