On Wed, Sep 14, 2011 at 8:30 PM, Richard Hipp <d...@sqlite.org> wrote:
> To clarify, Fossil uses a single namespace to hold all environment > variables, ...parameter. They all work the same. > That's a bonus for me, actually. i'm currently digging around in login_check_credentials() and friends to figure out where this belongs. login_check_credentials() is rather complex due to the handling of various login sources and the anonymous user (i foresee a problem on my side in handling the captcha seed - i will probably need an extra request which fetches this seed). > Note however, that query parameters, POST parameters, and cookies always > use lower-case names and environment variables use upper-case names. So > That's good to know. > there is no way to generate a rogue request that overrides an environment > variable using a query parameter, for example. In other words, you cannot > do: > > http://www.fossil-scm.org/fossil/xfer?REMOTE_USER=drh > > ... hoping to subvert the login mechanism and push content under my name. > Oh, you know i wouldn't think of trying that! ;) > But you can interchange cookies, query parameters, and POST parameters, and > Fossil won't notice. > Great - that's part of what i need to do, e.g. to allow certain request options to either be set via GET params or POST request properties. Anyway... i think i've been pointed in the right direction, now i just need to go get it working. Thanks again for the help, -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
