Re: [fossil-users] REST API and client for same

2017-04-03 Thread Stephan Beal
On Sun, Apr 2, 2017 at 11:38 PM, Warren Young wrote: > On Apr 2, 2017, at 2:48 PM, Stephan Beal wrote: > > > > a) that's essentially what the JSON API is > > …minus the lightweight Subversion-like client, of course. > > But, it’s good to know that most

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Stephan Beal
On Mon, Apr 3, 2017 at 5:28 AM, Eduard wrote: > Hi, > > I recently realized that fossil repository hosting websites (such as > chiselapp and hydra > ) are vulnerable to arbitrary HTML > injection (XSS) as

[fossil-users] SSL on Mac

2017-04-03 Thread J. Cameron Cooper
I had Fossil installed on a seldom-used Mac and it worked fine. Trying it again today, it failed to connect to Chisel:: $ fossil version This is fossil version 1.33 [9c65b5432e] 2015-05-23 11:11:31 UTC MacBook-Pro:bottlemarkapp hercooper$ fossil up Autosync:

Re: [fossil-users] REST API and client for same

2017-04-03 Thread Warren Young
On Apr 3, 2017, at 1:29 AM, Stephan Beal wrote: > > Commits can't be done without a checkout Given a way to ask Fossil over HTTP for the set of artifacts that makes up $reference, where the latter is anything Fossil currently accepts in “fossil up $reference” you’ll

Re: [fossil-users] REST API and client for same

2017-04-03 Thread Stephan Beal
On Mon, Apr 3, 2017 at 3:25 PM, Warren Young wrote: > On Apr 3, 2017, at 1:29 AM, Stephan Beal wrote: > > > > Commits can't be done without a checkout > > Given a way to ask Fossil over HTTP for the set of artifacts that makes up > $reference, where

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Eduard
On 04/03/2017 02:16 AM, Warren Young wrote: > On Apr 2, 2017, at 9:28 PM, Eduard wrote: >> >> An attacker can place malicious javascript at the top of every page > > Certainly. > >> they could, for example, change the victim's password > > Doesn’t the login

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Warren Young
On Apr 2, 2017, at 9:28 PM, Eduard wrote: > > An attacker can place malicious javascript at the top of every page Certainly. > they could, for example, change the victim's password Doesn’t the login cookie prevent the hosted user from doing that to any but

Re: [fossil-users] XSS attack and fossil hosting services

2017-04-03 Thread Warren Young
On Apr 3, 2017, at 11:15 AM, Eduard wrote: > > Evil-user then convinces > good-user to visit evilproject while logged into goodproject Ah, I see. Yes, I agree now. >>> (Another way to fix it is by giving each repository a separate subdomain >> >> ...run as a