Fossil

Timeline
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

50 check-ins occurring around 23a9f9bac2aaddb5.

2019-08-27
10:40
Query and post parameters may never begin with an upper-case letter. To allow that is a huge security hole. check-in: 72c721ea user: drh tags: noJsonCgiFlag
07:21
Restore legacy title handling behavior for TH1 docs (changed via check-in [8abeb62737c2b527]). check-in: 42190026 user: mistachkin tags: noJsonCgiFlag
06:50
Attempt to fix 'CONTENT_TYPE' detection when a suffix, e.g. '; charset=utf-8', is present. check-in: 891bbc6f user: mistachkin tags: noJsonCgiFlag
05:57
Improve comment. check-in: 316dd394 user: mistachkin tags: noJsonCgiFlag
05:55
More refinements. check-in: c1f4a846 user: mistachkin tags: noJsonCgiFlag
05:34
If the '--cgiupperparamsok' command line option or 'uppercase_params' CGI control line are present, allow parameter names to start with an uppercase letter. check-in: ab0d81f8 user: mistachkin tags: noJsonCgiFlag
04:15
Make it possible to disable JSON auto-detection in the CGI subsystem. check-in: a7754353 user: mistachkin tags: noJsonCgiFlag
03:56
Grepped the Fossil source code for C code that checks for Setup caps exclusively to preotect functions and listed those in the Reference section of capablities.md. Also expanded the coverage of the "caps affect Fossil web interfaces only" section, which plays into this. check-in: 689f7683 user: wyoung tags: caps-doc
02:16
Added cap "n" to "r" in skins that show a /ticket link in their header, since the handler for it allows the page to show for those who can only file new tickets, not just those who can see existing tickets. Also fixed some skins that were using "anoncap" to test this: it needs to work for all logged-in users, not just "anonymous". Leaf check-in: f4e3abce user: wyoung tags: skin-cap-matching
02:08
Minor wording change in the header of /vdiff. check-in: 69adb45d user: drh tags: vdiff-improvements
02:07
Updates to the /vdiff page with the branch=BRANCH query parameter so that it uses merge-in: instead of root: and thus excludes merge-in check-ins from the diff. check-in: b36dc6f1 user: drh tags: vdiff-improvements
01:55
Rewrote explanation of "o" cap. check-in: 208ca0d7 user: wyoung tags: caps-doc
01:47
Add the "merge-in:NAME" name type, similar to "root:NAME" except that it finds the youngest anscestor of NAME that is in the branch from which the branch of NAME derived. check-in: dcd8f1d8 user: drh tags: vdiff-improvements
01:40
Disentangled discussion of "developer" vs "reader" in capabilities.md. check-in: 869494eb user: wyoung tags: caps-doc
01:00
Added (Names) to the "Capability Reference" section of capabilities.md so the reference can be used while reading C source code, which uses these names instead of the capability characters in all code past the login handler. check-in: d48dff8f user: wyoung tags: caps-doc
00:29
Merge in documentation enhancements from trunk. check-in: c1b62c32 user: drh tags: vdiff-improvements
00:29
Remove an unused subroutine. Fix a minor CSS problem. check-in: 2078c746 user: drh tags: vdiff-improvements
00:11
On the /vdiff page, show a timeline with both check-ins using different highlights on each check-in. check-in: 6e40f866 user: drh tags: vdiff-improvements
00:07
Changed all of the [anycap jor] TH1 calls in the stock skins wrapping the generation of that skin's /timeline and /timeline.rss links to [anycap ijr2] to match the user caps the timeline HTTP hit handler actually checks for in the C code. This is a branch in part because it needs review, but also it's the start of a broader effort to check the other cap checks in the skins to make sure they a) match what the C code checks for; and b) match each other. check-in: 9cee8cf5 user: wyoung tags: skin-cap-matching
2019-08-25
13:24
Added HTTP proxying info to Debian nginx server setup guide. check-in: c6a033ce user: wyoung tags: trunk
12:39
Replaced the content of "Running Fossil in SCGI Mode" within www/server/debian/nginx.md with references to our other Fossil server docs. This also reduces the prior focus of this section on fslsrv to a single sentence, since we now prefer the systemd option, now that we have it. check-in: a4bb92f7 user: wyoung tags: trunk
12:29
Swapped the simple foo.net "whole site is Fossil" example in www/server/debian/nginx.md for the more complicated example.com one where only /code is served by Fossil. This is probably going to be more common, and it shows off the important detail of setting SCRIPT_NAME properly. Made a minor adjustment to any/scgi.md to track this change, so there is not a pointless difference between these two nginx configs. check-in: 653e90ca user: wyoung tags: trunk
11:52
Clarified use of scgi_params, SCRIPT_NAME, and service starting in the generic SCGI server setup doc. check-in: 5a58ac31 user: wyoung tags: trunk
2019-08-24
18:32
Merge fork check-in: 6c6aae97 user: andygoth tags: trunk
2019-08-23
12:42
Add the fossil_random_password() utility function and use it to generate a stronger initial admin-user password in the "fossil new" command. check-in: 23a9f9ba user: drh tags: trunk
12:23
If the test-markdown-render or test-wiki-render commands are invoked without a repository in which to check for Wiki page names and artifact hashes, then substitute a temporary, empty, in-memory repository so that the commands will still work and won't give SQL errors. check-in: 0ac64dad user: drh tags: trunk
11:49
Clarified the placement of "moderator" and "subscriber" in the power hierarchy expression within www/capabilities.md, since each could float up and down somewhat within the fixed hierarchy we give here. Also fixed a broken URL. check-in: ba88f4f2 user: wyoung tags: caps-doc
11:07
Markdown hyperlinks are only converted to links to wiki if the named wikipage actually exists. Otherwise, the link becomes a relative link. This is for backwards compatibility. check-in: 3b10e644 user: drh tags: trunk
08:31
Added www/capabilities.md, a complete treatment on user capabilities, user categories, login groups, and administration matters involving all of this. It does not replace the pre-existing admin-v-setup.md doc, but a bit of its content did move into this new doc. The new doc also contains the user capability info previously in the forum.wiki doc. This is on a branch because although it's quite useful already, it could use some work before being merged down. At the barest minimum, there are some unanswered questions in the new doc that need addressing.    This new doc does not replace the existing documentation in the UI. It may be that we end up paring that down a bit now that we have a full doc to refer to, but that is a topic for the forum thread that will appear shortly after this checkin. check-in: 832f107e user: wyoung tags: caps-doc
05:32
Fixed a few fatal error messages from the login-group command that referred to an "add" command, which is now called "join". The symptom I saw is that "fossil login-group add" complained that "add" is not a valid command and that you should give '"add" or "leave"' instead! check-in: 09c65d75 user: wyoung tags: trunk
05:22
Fixed a few messages from the login-group command that referred to an apparent older name for the "join" sub-command, "add". This lead to a confusing symptom: "fossil login-group add foo" -> {unknown command "add" - should be "add" or "leave"}. check-in: 739cd872 user: wyoung tags: trunk
2019-08-22
15:06
Stronger recommendation for changing the default user's random hex password prior to setting up a Fossil server after learning it's 6 hex digits, not 8 as I thoght when I wrote that! check-in: 9fcd6e44 user: wyoung tags: trunk
14:14
Added bullet list detailing the sources for <script nonce=""> from a Fossil server and the reasons we consider each path safe. check-in: 91377ae4 user: wyoung tags: trunk
13:31
Reworked the material explaining why in-page <style> is currently allowed by Fossil's default CSP to make it clearer that this is most likely a temporary situation and that local custom CSS should go in the skin instead. check-in: 092eeebf user: wyoung tags: trunk
13:13
Expanded the discussion of in-repo and out-of-repo resource links in defcsp.md. check-in: 23fcd765 user: wyoung tags: trunk
12:39
Reworked the new introductory material in defcsp.md to be less about the CSP as last-resort and more about being a secondary filter to our other measures. Gave examples to clarify the tensions that prevent a purely server-side solution from being a practical solution. check-in: 1c4df5bf user: wyoung tags: trunk
11:54
"RaspberryPI" -> "Raspberry Pi" check-in: 5182be99 user: wyoung tags: trunk
11:53
Assorted refinements to the new pre- and post-activation advice sections in www/server/index.html: nix passive voice, add a few details, add some links to related docs, etc. Also fixed a CSS indenting problem preventing correct use of in , then made use of the new freedom in these sections' numbered lists. check-in: b5c2c9bf user: wyoung tags: trunk
2019-08-21
19:18
Fix the $ROOT mechanism in HTML documents so that it accepts any whitespace character before href= and script=. Add $ROOT in appropriate places in the server documentation. check-in: 3e183bfa user: drh tags: trunk
18:15
Outline how to configure a repository before and after server activation. check-in: 154ea087 user: drh tags: trunk
17:37
Improvements to the althttpd documentation. check-in: 44f1df9f user: drh tags: trunk
17:21
Further improvements to the server document. check-in: c2c4d303 user: drh tags: trunk
16:57
Extra defenses against running fossil_atexit() more than once. check-in: bc7683e1 user: drh tags: trunk
16:55
Fix the "shell" command so that it avoids invoking the atexit() handler more than once. check-in: 07a5a211 user: drh tags: trunk
15:56
Server documentation updates. check-in: b2426c27 user: drh tags: trunk
14:46
Merge in recent developments on trunk. check-in: 70d091ea user: andybradford tags: test-updates
12:32
Disallow versioning of security sensitive settings tcl-setup, th1-setup, and th1-uri-regexp. For effective security, these settings should only be controllable by an administrator. check-in: 2da704c5 user: drh tags: trunk
11:26
Update to the default CSP page. Attempted to resolve merge conflicts, but more editting is likely necessary. check-in: 33a7b8ba user: drh tags: trunk
11:09
Added a header to the new XSS material in defcsp.md so we can refer directly to it. check-in: 7b843f2d user: wyoung tags: trunk
11:01
More thorough explanation of <script nonce> in www/defcsp.md, and explained the reason why Fossil has no way of providing that nonce in most content types rather than link to the "XSS via check-in rights" forum post. This new presentation of that post's ideas is more detailed and includes discussion of the feature's interaction with the TH1 docs feature. check-in: 8d43bb87 user: wyoung tags: trunk