Fossil

Check-in [45a3d4b1]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Typo correction
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:45a3d4b1670f123e14460d2f458de5755e5739858ac4c1d3f5b831d4eec09951
User & Date: andygoth 2017-08-12 04:19:56
Context
2017-08-12
18:15
Change the shell_escape() procedure into blob_append_escaped_arg(). Have that procedure raise a fatal error if the argument to be appended contains dodgy characters that might pose a security risk. Also, prepend "./" in front of arguments that begin with "-" to prevent them from looking like switches. check-in: 3b191c98 user: drh tags: trunk
16:20
Avoid another attack vector when using SSH sync protocol by not calling a shell interpreter. Fixes only Unix-like environments by using execvp() instead of a string that can be mishandled by /bin/sh. Superseded by [3b191c984b] &co. Closed-Leaf check-in: ce7baa97 user: andybradford tags: ssh-shell-cleanup
04:19
Typo correction check-in: 45a3d4b1 user: andygoth tags: trunk
2017-08-11
16:00
Increase the version number to 2.4 and update the change log. check-in: 3ebbe7bc user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/changes.wiki.

1
2
3
4
5
6
7
8
9
10
11
12
13
<title>Change Log</title>

<a name='v2_4'></a>
<h2>Changes for Version 2.4 (TBD)</h2>

  *  Fix the "ssh://" protocol to prevent an attacks whereby the attacker convinces
     a victim to run a "clone" with a dodgy URL and thereby gains access to their
     system.
  *  Correct the [/help?cmd=/doc|/doc] page to support read-only repositories.
  *  Correct [/help?cmd=/zip|/zip], [/help?cmd=/tarball|/tarball],
     [/help?cmd=zip|zip], and [/help?cmd=tarball|tarball] pages and commands to
     honor the versioned manifest setting when outside of an open checkout
     directory.





|







1
2
3
4
5
6
7
8
9
10
11
12
13
<title>Change Log</title>

<a name='v2_4'></a>
<h2>Changes for Version 2.4 (TBD)</h2>

  *  Fix the "ssh://" protocol to prevent an attack whereby the attacker convinces
     a victim to run a "clone" with a dodgy URL and thereby gains access to their
     system.
  *  Correct the [/help?cmd=/doc|/doc] page to support read-only repositories.
  *  Correct [/help?cmd=/zip|/zip], [/help?cmd=/tarball|/tarball],
     [/help?cmd=zip|zip], and [/help?cmd=tarball|tarball] pages and commands to
     honor the versioned manifest setting when outside of an open checkout
     directory.