Re: [fossil-users] Show time...

Mon, 04 Jun 2018 19:37:04 -0700 

Other things we do at ChiselApp:
        1. Enable Safe interpreters for Tcl
        2. Enforce that the SSH program cannot be run (by patching
           popen2() to return an error)
        3. (Not complete, but started) run each instance of Fossil as a
           different UID based on their Flint UID+131072
I thought about putting each repo under their own domain, but doing so requires a bit more work: 
        1. Need to add the domain to the Public Suffix List (otherwise,
           you haven't mitigated the issue completely)
        2. Getting a wildcard cert

On Mon, 4 Jun 2018, Eduard wrote:


I was planning on making a more official announcement, but here goes.
I'm the developer of Hydra, a single-sign-on and manager for fossil repositories. https://hydra.ecd.space/f/hydra/wiki/hydra
I think this is relevant as people may be looking to GitHub alternatives for multiproject hosting.
I've recently fixed the XSS/CSRF vulnerabilities inherent to hosting multiple repositories on the same domain (which also affect chiselapp), when setup privilege is given to malicious users (for the repositories they create) and they convince other people to visit their malicious repository while logged in. I've done this by using a separate subdomain for each repository, and by patching Fossil itself to receive the CSRF token from Hydra. More details here: https://static.ecd.space/x/hydra/doc/build/html/subdomains.html
I've also done some security hardening by dropping each repository in a separate chroot (to contain damage from a potential arbitrary code execution vulnerability in fossil itself). 

(Sorry drh, I accidentally replied only to you instead of the mailing list.)

On 06/03/2018 09:28 PM, Richard Hipp wrote:

There is suddenly a big uptick in traffic to fossil-scm.org,
apparently due to the recent GitHub rumor.  Unlike that traditional
"slashdot effect", though, the referrals seem to be coming for a large
variety of sources.

So, if anybody sees any last minute tidying up that we need to do to
the website in anticipation of a huge influx of first-time visitors,
please speak up.  Quickly.



_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users


_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Reply via email to