On Sat, Jan 30, 2016 at 1:12 AM, Ross Berteig <r...@cheshireeng.com> wrote:
> However, if the targeted repository is not writable to the process that is > running fossil http to handle the request, SQLITE quite properly has a > problem with that and the request fails with status 500. > i didn't think that was much of a deal until... > > RESULT: HTTP/1.0 200 OK > Date: Fri, 29 Jan 2016 23:45:52 GMT > ... p":1454111143,"user":"Ross","comment":"initial empty > check-in","tags":["trunk"]}]}}SQLITE_NOTICE: delayed 1375ms for > lock/sharing conflict at line 39704 > SQLITE_CANTOPEN: os_win.c:39711: (5) > winOpen(c:\Users\Ross\Documents\tmp\ftest\json\.rep.fossil) - Access is > denied. > > I'm not certain what the right action (if any) is here. Agreed :/. AH - now i remember... that problem was discovered before, but not a solution: http://www.fossil-scm.org/fossil/artifact/18266f277275d058aadb979b74c8b3af7791d649?txt=1&ln=932-939 > But is it a problem? > > Is there an attack vector here? > Best to avoid it. i'm not sure if we can figure out 'is this json mode' before sqlite3_config() is run for the first time, though (see comments at the above link). > Do other JSON requests also exhibit this behavior? > Certainly. -- ----- stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal "Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do." -- Bigby Wolf
_______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev