Re: [fossil-users] Fossil version 1.25 scheduled.

[Clark Christensen]

+1



- Original Message -
From: Dmitry Chestnykh 
To: Fossil SCM user's discussion 
Cc: 
Sent: Saturday, December 1, 2012 4:44 AM
Subject: Re: [fossil-users] Fossil version 1.25 scheduled.

On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp  wrote:
> I wonder if it should be even more restrictive - and only deliver static
> content that ends in some well-known subset of suffices:  *.html, *.htm,
> *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js

I think this would be too restrictive.

On a related note, I think you should consider making the previous
behaviour (not serving static files) the default one, and serve static
files only when --static-files or similar flag is supplied. I'm
worried that this change may be surprising to some people who
currently may store sensitive information along with their
repositories. When they upgrade to the new version, suddenly their
files become exposed to the world.

--
Dmitry Chestnykh
http://www.codingrobots.com
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Martin Gagnon]

Le 2012-12-04 à 06:03, Richie Adler  a écrit :

> fossil-m...@h-rd.org decía, en el mensaje "Re: [fossil-users] Fossil version
> 1.25 scheduled." del Martes, 04 de Diciembre de 2012 07:26:32:
> 
>> Why not fossil allow only to serve files from a specific and specified  
>> directory (in settings).  I think thats better than filtering on mime  
>> types etc.  An advantage is that it allows you to serve whatever file  
>> you want, maybe including fossil repos or whatever custom files you  
>> have.
> 
> +1
> 

+1,

Or instead of filtering based on mime type, it could have a setting (eg: 
serve-static-glob) empty by default. If you want to serve static files, you add 
them to the setting or (*,.*) if you want everything.

You can also limit to everything in a directory with: dir/*

-- 
Martin G.
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Richie Adler]

fossil-m...@h-rd.org decía, en el mensaje "Re: [fossil-users] Fossil version
1.25 scheduled." del Martes, 04 de Diciembre de 2012 07:26:32:

> Why not fossil allow only to serve files from a specific and specified  
> directory (in settings).  I think thats better than filtering on mime  
> types etc.  An advantage is that it allows you to serve whatever file  
> you want, maybe including fossil repos or whatever custom files you  
> have.

+1



___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[fossil-mail]

Dmitry Chestnykh Fri, 30 Nov 2012 14:09:20 -0800



Regarding this change:



- Enhance the "fossil server DIRECTORY" command to serve static
content files contained in DIRECTORY.



It now allows downloading the repo itself.



e.g



fossil server ~/fossils



(I have Fossil clone located at ~/fossil/pub/fossil.fossil)



http://127.0.0.1:8080/pub/fossil/



will show the repository, as intended, while



http://127.0.0.1:8080/pub/fossil.fossil



will download it. Oops.



-Dmitry



Why not fossil allow only to serve files from a specific and specified  
directory (in settings).  I think thats better than filtering on mime  
types etc.  An advantage is that it allows you to serve whatever file  
you want, maybe including fossil repos or whatever custom files you  
have.



___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Jan Nijtmans]

2012/12/1 Clive Hayward :
> Please add the latest Microsoft Office formats to the supported types.
> ".xlsx", "docx", "pptx"

It's done in [4e23c42f7e], but not with the
correct mime-types. See:

for the complete list of Office 2007 mime-types and all possible extensions.

Regards,
   Jan Nijtmans
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Altu Faltu]

New feature of getting diff by clicling graph in timeline doesn't seem to work 
on IE8.

- Original Message -
From: Richard Hipp
Sent: 12/01/12 02:46 AM
To: fossil-users
Subject: [fossil-users] Fossil version 1.25 scheduled.

 I have put up a change log for Fossil version 1.25 with a tentative release 
date of 2012-12-19

http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki 

 There has been a *lot* of change since 1.24. Please test the trunk version of 
Fossil as you are able to. Report any issues to this mailing list, or file a 
ticket. We want 1.25 to be a good release, but we need your help in testing in 
order to accomplish that.

 FWIW, we do eat our own dogfood. The Fossil executable that runs the Fossil 
website gets updated to the tip of trunk roughly every day. The same executable 
also runs http://www.sqlite.org/  and several other websites. And all of my 
personal machines (linux, mac, and windows) are running the very latest Fossil 
code. If there were serious problems with the latest Fossil code, I would be 
doomed. You can trust that the tip of trunk is reasonably stable. Nevertheless, 
I'm sure if hundreds of you start testing the latest code, some of you will run 
across various minor issues, issues that we would prefer to fix prior to 1.25 
instead of after. Therefore, do please test. Thanks.
 --
 D. Richard Hipp
 d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Clive Hayward]

Please add the latest Microsoft Office formats to the supported types.
".xlsx", "docx", "pptx"

Thanks

On Sat, Dec 1, 2012 at 5:35 AM, Richard Hipp  wrote:
>> On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp  wrote:
>> > I wonder if it should be even more restrictive - and only deliver static
>> > content that ends in some well-known subset of suffices:  *.html, *.htm,
>> > *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js
>>
>> I think this would be too restrictive.
>
>
> I changed it so that it will only serve files with one of the 187 different
> suffixes for which Fossil is able to guess the mimetype. (See
> http://www.fossil-scm.org/fossil/artifact/734e4bf7a6ffc5?ln=97-283)  None of
> *.fossil, *.fossil-journal, *.fossil-wal, and *.fossil-shm are on that list.



-- 
Clive Hayward
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Baptiste Daroussin]

2012/11/30 Richard Hipp 

> I have put up a change log for Fossil version 1.25 with a tentative
> release date of 2012-12-19
>
> http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki
>
> There has been a *lot* of change since 1.24.  Please test the trunk
> version of Fossil as you are able to.  Report any issues to this mailing
> list, or file a ticket.  We want 1.25 to be a good release, but we need
> your help in testing in order to accomplish that.
>
> FWIW, we do eat our own dogfood.  The Fossil executable that runs the
> Fossil website gets updated to the tip of trunk roughly every day.  The
> same executable also runs http://www.sqlite.org/ and several other
> websites.  And all of my personal machines (linux, mac, and windows) are
> running the very latest Fossil code.  If there were serious problems with
> the latest Fossil code, I would be doomed.  You can trust that the tip of
> trunk is reasonably stable.  Nevertheless, I'm sure if hundreds of you
> start testing the latest code, some of you will run across various minor
> issues, issues that we would prefer to fix prior to 1.25 instead of after.
> Therefore, do please test.  Thanks.


I have been testing the latest trunk on FreeBSD (so far far no problem
spotted) thank you very much, I am a big user of fossil on FreeBSD and
really happy with it :)

I haven't followed the developpement recently, but was hopping a markdown
integration for 1.25 given that a branch for markdown integration has been
created month ago. So sorry to bother you again with this, but is there any
status for this particular thing?

regards,
Bapt
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Richard Hipp]

On Sat, Dec 1, 2012 at 7:44 AM, Dmitry Chestnykh wrote:

> On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp  wrote:
> > I wonder if it should be even more restrictive - and only deliver static
> > content that ends in some well-known subset of suffices:  *.html, *.htm,
> > *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js
>
> I think this would be too restrictive.
>

I changed it so that it will only serve files with one of the 187 different
suffixes for which Fossil is able to guess the mimetype. (See
http://www.fossil-scm.org/fossil/artifact/734e4bf7a6ffc5?ln=97-283)  None
of *.fossil, *.fossil-journal, *.fossil-wal, and *.fossil-shm are on that
list.

Other anti-mischief rules:

(1) The pathname may only contain ASCII alphanumerics, "_", "/", "-", and
"."
(2) The pathname may not contain "/-"
(3) Any "." in the pathname must be surrounded on both sides by
alphanumerics.
(4) The pathname may not contain ".fossil"

Notice that these rules prevent serving any file whose name begins with "."
or "-", prevent the serving of files ending in suffixes like ".off" or
".bu", and prevent things like "/../" in pathnames, etc.


>
> On a related note, I think you should consider making the previous
> behaviour (not serving static files) the default one, and serve static
> files only when --static-files or similar flag is supplied. I'm
> worried that this change may be surprising to some people who
> currently may store sensitive information along with their
> repositories. When they upgrade to the new version, suddenly their
> files become exposed to the world.
>

The "fossil ui" command already does this.  I'll consider it also for
"fossil server".  I don't guess I've mentioned (needs to be added to the
changelog) that "fossil http" follows the same rules as "fossil server" and
will serve static content now.



>
> --
> Dmitry Chestnykh
> http://www.codingrobots.com
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>



-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Richie Adler]

Dmitry Chestnykh decía, en el mensaje "Re: [fossil-users] Fossil version 1.25
scheduled." del Sábado, 01 de Diciembre de 2012 09:44:27:

> On a related note, I think you should consider making the previous
> behaviour (not serving static files) the default one, and serve static
> files only when --static-files or similar flag is supplied. I'm
> worried that this change may be surprising to some people who
> currently may store sensitive information along with their
> repositories. When they upgrade to the new version, suddenly their
> files become exposed to the world.

Or when a hosting site updates Fossil (Chisel comes to mind).

Proposal seconded.

-- 

   o-=< Marcelo >=-o

___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Dmitry Chestnykh]

On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp  wrote:
> I wonder if it should be even more restrictive - and only deliver static
> content that ends in some well-known subset of suffices:  *.html, *.htm,
> *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js

I think this would be too restrictive.

On a related note, I think you should consider making the previous
behaviour (not serving static files) the default one, and serve static
files only when --static-files or similar flag is supplied. I'm
worried that this change may be surprising to some people who
currently may store sensitive information along with their
repositories. When they upgrade to the new version, suddenly their
files become exposed to the world.

--
Dmitry Chestnykh
http://www.codingrobots.com
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Richard Hipp]

On Fri, Nov 30, 2012 at 5:09 PM, Dmitry Chestnykh
wrote:

> Regarding this change:
>
> - Enhance the "fossil server DIRECTORY" command to serve static
> content files contained in DIRECTORY.
>
> It now allows downloading the repo itself.
>

Thanks for noticing this huge security hole.  The "fossil server" command
now refuses to deliver any file as static content that contains ".fossil"
anywhere in its name.  That prevents repositories and their journal files
from being delivered as
static content.

I wonder if it should be even more restrictive - and only deliver static
content that ends in some well-known subset of suffices:  *.html, *.htm,
*.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js


>
> e.g
>
> fossil server ~/fossils
>
> (I have Fossil clone located at ~/fossil/pub/fossil.fossil)
>
> http://127.0.0.1:8080/pub/fossil/
>
> will show the repository, as intended, while
>
> http://127.0.0.1:8080/pub/fossil.fossil
>
> will download it. Oops.
>
> -Dmitry
>
> PS Clicking on nodes for diff is *awesome*!
>
> On Fri, Nov 30, 2012 at 10:16 PM, Richard Hipp  wrote:
> > I have put up a change log for Fossil version 1.25 with a tentative
> release
> > date of 2012-12-19
> >
> > http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki
> >
> > There has been a *lot* of change since 1.24.  Please test the trunk
> version
> > of Fossil as you are able to.  Report any issues to this mailing list, or
> > file a ticket.  We want 1.25 to be a good release, but we need your help
> in
> > testing in order to accomplish that.
> >
> > FWIW, we do eat our own dogfood.  The Fossil executable that runs the
> Fossil
> > website gets updated to the tip of trunk roughly every day.  The same
> > executable also runs http://www.sqlite.org/ and several other websites.
>  And
> > all of my personal machines (linux, mac, and windows) are running the
> very
> > latest Fossil code.  If there were serious problems with the latest
> Fossil
> > code, I would be doomed.  You can trust that the tip of trunk is
> reasonably
> > stable.  Nevertheless, I'm sure if hundreds of you start testing the
> latest
> > code, some of you will run across various minor issues, issues that we
> would
> > prefer to fix prior to 1.25 instead of after.  Therefore, do please test.
> > Thanks.
> > --
> > D. Richard Hipp
> > d...@sqlite.org
> >
> > ___
> > fossil-users mailing list
> > fossil-users@lists.fossil-scm.org
> > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
> >
>
>
>
> --
> --
> Dmitry Chestnykh
> http://www.codingrobots.com
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>



-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Dmitry Chestnykh]

Regarding this change:

- Enhance the "fossil server DIRECTORY" command to serve static
content files contained in DIRECTORY.

It now allows downloading the repo itself.

e.g

fossil server ~/fossils

(I have Fossil clone located at ~/fossil/pub/fossil.fossil)

http://127.0.0.1:8080/pub/fossil/

will show the repository, as intended, while

http://127.0.0.1:8080/pub/fossil.fossil

will download it. Oops.

-Dmitry

PS Clicking on nodes for diff is *awesome*!

On Fri, Nov 30, 2012 at 10:16 PM, Richard Hipp  wrote:
> I have put up a change log for Fossil version 1.25 with a tentative release
> date of 2012-12-19
>
> http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki
>
> There has been a *lot* of change since 1.24.  Please test the trunk version
> of Fossil as you are able to.  Report any issues to this mailing list, or
> file a ticket.  We want 1.25 to be a good release, but we need your help in
> testing in order to accomplish that.
>
> FWIW, we do eat our own dogfood.  The Fossil executable that runs the Fossil
> website gets updated to the tip of trunk roughly every day.  The same
> executable also runs http://www.sqlite.org/ and several other websites.  And
> all of my personal machines (linux, mac, and windows) are running the very
> latest Fossil code.  If there were serious problems with the latest Fossil
> code, I would be doomed.  You can trust that the tip of trunk is reasonably
> stable.  Nevertheless, I'm sure if hundreds of you start testing the latest
> code, some of you will run across various minor issues, issues that we would
> prefer to fix prior to 1.25 instead of after.  Therefore, do please test.
> Thanks.
> --
> D. Richard Hipp
> d...@sqlite.org
>
> ___
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>



-- 
--
Dmitry Chestnykh
http://www.codingrobots.com
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] Fossil version 1.25 scheduled.

[Jan Nijtmans]

2012/11/30 Richard Hipp :
> I have put up a change log for Fossil version 1.25 with a tentative release
> date of 2012-12-19
>
> http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki

I am reading in the ChangeLog:
> Disallow invalid UTF8 characters (such as overlength characters or characters
> in the surrogate pair range) in filename.

The current code disallows characters in the surrogate pair range,
characters > U+ and Characters in the Private area, but
not overlength characters or invalid UTF-8 byte sequences.
Of course those two possibilities could still be added.

Regards,
  Jan Nijtmans
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

[fossil-users] Fossil version 1.25 scheduled.

[Richard Hipp]

I have put up a change log for Fossil version 1.25 with a tentative release
date of 2012-12-19

http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki

There has been a *lot* of change since 1.24.  Please test the trunk version
of Fossil as you are able to.  Report any issues to this mailing list, or
file a ticket.  We want 1.25 to be a good release, but we need your help in
testing in order to accomplish that.

FWIW, we do eat our own dogfood.  The Fossil executable that runs the
Fossil website gets updated to the tip of trunk roughly every day.  The
same executable also runs http://www.sqlite.org/ and several other
websites.  And all of my personal machines (linux, mac, and windows) are
running the very latest Fossil code.  If there were serious problems with
the latest Fossil code, I would be doomed.  You can trust that the tip of
trunk is reasonably stable.  Nevertheless, I'm sure if hundreds of you
start testing the latest code, some of you will run across various minor
issues, issues that we would prefer to fix prior to 1.25 instead of after.
Therefore, do please test.  Thanks.
-- 
D. Richard Hipp
d...@sqlite.org
___
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users