On Mon, Apr 3, 2017 at 5:28 AM, Eduard <[email protected]> wrote:
> Hi, > > I recently realized that fossil repository hosting websites (such as > chiselapp <http://chiselapp.com/> and hydra > <https://hydra.ecd.space/f/hydra/>) are vulnerable to arbitrary HTML > injection (XSS) as soon as they give (untrusted) users the 'setup' > capability to the repositories they create. > Giving an untrusted user setup rights is kind of like giving them your bank card and its PIN. Setup rights are only intended for the person (or people) who physically maintain a repository, not untrusted users. > As a related and more general question, what damage can a "fossil http -R > $repo" command do to surrounding files/other repositories? In particular, > using TH1/SQL or using the JSON interface? > -R $repo limits that server process's access to that one repo. There are no services (other than "login groups") which span repos. TH1, if you add TCL support to it, can run any arbitrary commands which TCL allows, so all bets are off in that case ("rm -fr /etc"). Only setup user(s) should be able to add TH1/TCL code to a repo, though, and if you have "untrusted" setup users then (again) all bets are off. That's not a technical/fossil problem, but an organizational one. -- ----- stephan beal http://wanderinghorse.net/home/stephan/ "Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do." -- Bigby Wolf
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
