On Sat, Dec 1, 2012 at 7:44 AM, Dmitry Chestnykh <dmi...@codingrobots.com>wrote:
> On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp <d...@sqlite.org> wrote: > > I wonder if it should be even more restrictive - and only deliver static > > content that ends in some well-known subset of suffices: *.html, *.htm, > > *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js > > I think this would be too restrictive. > I changed it so that it will only serve files with one of the 187 different suffixes for which Fossil is able to guess the mimetype. (See http://www.fossil-scm.org/fossil/artifact/734e4bf7a6ffc5?ln=97-283) None of *.fossil, *.fossil-journal, *.fossil-wal, and *.fossil-shm are on that list. Other anti-mischief rules: (1) The pathname may only contain ASCII alphanumerics, "_", "/", "-", and "." (2) The pathname may not contain "/-" (3) Any "." in the pathname must be surrounded on both sides by alphanumerics. (4) The pathname may not contain ".fossil" Notice that these rules prevent serving any file whose name begins with "." or "-", prevent the serving of files ending in suffixes like ".off" or ".bu", and prevent things like "/../" in pathnames, etc. > > On a related note, I think you should consider making the previous > behaviour (not serving static files) the default one, and serve static > files only when --static-files or similar flag is supplied. I'm > worried that this change may be surprising to some people who > currently may store sensitive information along with their > repositories. When they upgrade to the new version, suddenly their > files become exposed to the world. > The "fossil ui" command already does this. I'll consider it also for "fossil server". I don't guess I've mentioned (needs to be added to the changelog) that "fossil http" follows the same rules as "fossil server" and will serve static content now. > > -- > Dmitry Chestnykh > http://www.codingrobots.com > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
