Will, On Wed, Dec 9, 2009 at 12:11 AM, Will Duquette <[email protected]> wrote: > I click on one of your links, and found myself at your fossil repo, > logged in as > "btheado" with full access to the Admin settings. Eeek!
Hmm. I noticed that shortly after I sent the email. I couldn't even logout. All I did was upload my fossil database and create the two line cgi script. I seem to remember some emails in this list about creating a repo in one place and getting it installed somewhere else. Later I can read those and see if it helps me figure out my mistake. If anyone else knows what is going on, please let me know. In the meantime, the database file is and has been readonly (to the cgi script user), so any modification attempts sa me will fail. I don't think it is possible to securely run fossil in read/write mode on sourceforge. I would need to make the repo file writable by the webuser and anyone who is a member of any sourceforge project can run a script as the webuser. Plus, it seems that fossil stores all passwords in plain text, so anyone with sourceforge access can read those. Thanks for pointing it out. Brian _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
