On 3/3/15, Ross Berteig <[email protected]> wrote: > > On 3/3/2015 1:23 PM, Richie Adler wrote: >> Petr Ferdus decĂa, en el mensaje "Re: [fossil-users] fossil repolist >> argument >> with winsrv" del 3/3/2015 18:15:56: >>> BTW fossil server could serve *.fossil files from any subdirectory of >>> directory it was >>> invoked with. > > From where I sit, this sounds like a security leak waiting to happen. >
That's exactly why this feature is off-by-default (except for the "fossil ui" command and the "fossil ui" command only binds to the loop-back IP address so I figured that was probably safe enough). Presumably you will only turn it on for the cases where you have taken other steps to ensure it is safe. Note also that it does not list all repos anywhere on your disk - but only repos that are directly beneath the directory specified when launched. The current design only provides a list of repositories when you give it the "/" url. But it does list all repositories under the directory tree, including those in nested subdirectories. -- D. Richard Hipp [email protected] _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
