Re: [fossil-users] Fossil version 1.25 scheduled.
+1 - Original Message - From: Dmitry Chestnykh dmi...@codingrobots.com To: Fossil SCM user's discussion fossil-users@lists.fossil-scm.org Cc: Sent: Saturday, December 1, 2012 4:44 AM Subject: Re: [fossil-users] Fossil version 1.25 scheduled. On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp d...@sqlite.org wrote: I wonder if it should be even more restrictive - and only deliver static content that ends in some well-known subset of suffices: *.html, *.htm, *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js I think this would be too restrictive. On a related note, I think you should consider making the previous behaviour (not serving static files) the default one, and serve static files only when --static-files or similar flag is supplied. I'm worried that this change may be surprising to some people who currently may store sensitive information along with their repositories. When they upgrade to the new version, suddenly their files become exposed to the world. -- Dmitry Chestnykh http://www.codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
Dmitry Chestnykh Fri, 30 Nov 2012 14:09:20 -0800 Regarding this change: - Enhance the fossil server DIRECTORY command to serve static content files contained in DIRECTORY. It now allows downloading the repo itself. e.g fossil server ~/fossils (I have Fossil clone located at ~/fossil/pub/fossil.fossil) http://127.0.0.1:8080/pub/fossil/ will show the repository, as intended, while http://127.0.0.1:8080/pub/fossil.fossil will download it. Oops. -Dmitry Why not fossil allow only to serve files from a specific and specified directory (in settings). I think thats better than filtering on mime types etc. An advantage is that it allows you to serve whatever file you want, maybe including fossil repos or whatever custom files you have. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
fossil-m...@h-rd.org decía, en el mensaje Re: [fossil-users] Fossil version 1.25 scheduled. del Martes, 04 de Diciembre de 2012 07:26:32: Why not fossil allow only to serve files from a specific and specified directory (in settings). I think thats better than filtering on mime types etc. An advantage is that it allows you to serve whatever file you want, maybe including fossil repos or whatever custom files you have. +1 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
Le 2012-12-04 à 06:03, Richie Adler richiead...@gmail.com a écrit : fossil-m...@h-rd.org decía, en el mensaje Re: [fossil-users] Fossil version 1.25 scheduled. del Martes, 04 de Diciembre de 2012 07:26:32: Why not fossil allow only to serve files from a specific and specified directory (in settings). I think thats better than filtering on mime types etc. An advantage is that it allows you to serve whatever file you want, maybe including fossil repos or whatever custom files you have. +1 +1, Or instead of filtering based on mime type, it could have a setting (eg: serve-static-glob) empty by default. If you want to serve static files, you add them to the setting or (*,.*) if you want everything. You can also limit to everything in a directory with: dir/* -- Martin G. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
2012/12/1 Clive Hayward haywa...@chayward.com: Please add the latest Microsoft Office formats to the supported types. .xlsx, docx, pptx It's done in [4e23c42f7e], but not with the correct mime-types. See: http://technet.microsoft.com/en-us/library/ee309278%28office.12%29.aspx for the complete list of Office 2007 mime-types and all possible extensions. Regards, Jan Nijtmans ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp d...@sqlite.org wrote: I wonder if it should be even more restrictive - and only deliver static content that ends in some well-known subset of suffices: *.html, *.htm, *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js I think this would be too restrictive. On a related note, I think you should consider making the previous behaviour (not serving static files) the default one, and serve static files only when --static-files or similar flag is supplied. I'm worried that this change may be surprising to some people who currently may store sensitive information along with their repositories. When they upgrade to the new version, suddenly their files become exposed to the world. -- Dmitry Chestnykh http://www.codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
Dmitry Chestnykh decía, en el mensaje Re: [fossil-users] Fossil version 1.25 scheduled. del Sábado, 01 de Diciembre de 2012 09:44:27: On a related note, I think you should consider making the previous behaviour (not serving static files) the default one, and serve static files only when --static-files or similar flag is supplied. I'm worried that this change may be surprising to some people who currently may store sensitive information along with their repositories. When they upgrade to the new version, suddenly their files become exposed to the world. Or when a hosting site updates Fossil (Chisel comes to mind). Proposal seconded. -- o-= Marcelo =-o ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
On Sat, Dec 1, 2012 at 7:44 AM, Dmitry Chestnykh dmi...@codingrobots.comwrote: On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp d...@sqlite.org wrote: I wonder if it should be even more restrictive - and only deliver static content that ends in some well-known subset of suffices: *.html, *.htm, *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js I think this would be too restrictive. I changed it so that it will only serve files with one of the 187 different suffixes for which Fossil is able to guess the mimetype. (See http://www.fossil-scm.org/fossil/artifact/734e4bf7a6ffc5?ln=97-283) None of *.fossil, *.fossil-journal, *.fossil-wal, and *.fossil-shm are on that list. Other anti-mischief rules: (1) The pathname may only contain ASCII alphanumerics, _, /, -, and . (2) The pathname may not contain /- (3) Any . in the pathname must be surrounded on both sides by alphanumerics. (4) The pathname may not contain .fossil Notice that these rules prevent serving any file whose name begins with . or -, prevent the serving of files ending in suffixes like .off or .bu, and prevent things like /../ in pathnames, etc. On a related note, I think you should consider making the previous behaviour (not serving static files) the default one, and serve static files only when --static-files or similar flag is supplied. I'm worried that this change may be surprising to some people who currently may store sensitive information along with their repositories. When they upgrade to the new version, suddenly their files become exposed to the world. The fossil ui command already does this. I'll consider it also for fossil server. I don't guess I've mentioned (needs to be added to the changelog) that fossil http follows the same rules as fossil server and will serve static content now. -- Dmitry Chestnykh http://www.codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
2012/11/30 Richard Hipp d...@sqlite.org I have put up a change log for Fossil version 1.25 with a tentative release date of 2012-12-19 http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki There has been a *lot* of change since 1.24. Please test the trunk version of Fossil as you are able to. Report any issues to this mailing list, or file a ticket. We want 1.25 to be a good release, but we need your help in testing in order to accomplish that. FWIW, we do eat our own dogfood. The Fossil executable that runs the Fossil website gets updated to the tip of trunk roughly every day. The same executable also runs http://www.sqlite.org/ and several other websites. And all of my personal machines (linux, mac, and windows) are running the very latest Fossil code. If there were serious problems with the latest Fossil code, I would be doomed. You can trust that the tip of trunk is reasonably stable. Nevertheless, I'm sure if hundreds of you start testing the latest code, some of you will run across various minor issues, issues that we would prefer to fix prior to 1.25 instead of after. Therefore, do please test. Thanks. I have been testing the latest trunk on FreeBSD (so far far no problem spotted) thank you very much, I am a big user of fossil on FreeBSD and really happy with it :) I haven't followed the developpement recently, but was hopping a markdown integration for 1.25 given that a branch for markdown integration has been created month ago. So sorry to bother you again with this, but is there any status for this particular thing? regards, Bapt ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
Please add the latest Microsoft Office formats to the supported types. .xlsx, docx, pptx Thanks On Sat, Dec 1, 2012 at 5:35 AM, Richard Hipp d...@sqlite.org wrote: On Sat, Dec 1, 2012 at 4:03 AM, Richard Hipp d...@sqlite.org wrote: I wonder if it should be even more restrictive - and only deliver static content that ends in some well-known subset of suffices: *.html, *.htm, *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js I think this would be too restrictive. I changed it so that it will only serve files with one of the 187 different suffixes for which Fossil is able to guess the mimetype. (See http://www.fossil-scm.org/fossil/artifact/734e4bf7a6ffc5?ln=97-283) None of *.fossil, *.fossil-journal, *.fossil-wal, and *.fossil-shm are on that list. -- Clive Hayward ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
New feature of getting diff by clicling graph in timeline doesn't seem to work on IE8. - Original Message - From: Richard Hipp Sent: 12/01/12 02:46 AM To: fossil-users Subject: [fossil-users] Fossil version 1.25 scheduled. I have put up a change log for Fossil version 1.25 with a tentative release date of 2012-12-19 http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki There has been a *lot* of change since 1.24. Please test the trunk version of Fossil as you are able to. Report any issues to this mailing list, or file a ticket. We want 1.25 to be a good release, but we need your help in testing in order to accomplish that. FWIW, we do eat our own dogfood. The Fossil executable that runs the Fossil website gets updated to the tip of trunk roughly every day. The same executable also runs http://www.sqlite.org/ and several other websites. And all of my personal machines (linux, mac, and windows) are running the very latest Fossil code. If there were serious problems with the latest Fossil code, I would be doomed. You can trust that the tip of trunk is reasonably stable. Nevertheless, I'm sure if hundreds of you start testing the latest code, some of you will run across various minor issues, issues that we would prefer to fix prior to 1.25 instead of after. Therefore, do please test. Thanks. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Fossil version 1.25 scheduled.
I have put up a change log for Fossil version 1.25 with a tentative release date of 2012-12-19 http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki There has been a *lot* of change since 1.24. Please test the trunk version of Fossil as you are able to. Report any issues to this mailing list, or file a ticket. We want 1.25 to be a good release, but we need your help in testing in order to accomplish that. FWIW, we do eat our own dogfood. The Fossil executable that runs the Fossil website gets updated to the tip of trunk roughly every day. The same executable also runs http://www.sqlite.org/ and several other websites. And all of my personal machines (linux, mac, and windows) are running the very latest Fossil code. If there were serious problems with the latest Fossil code, I would be doomed. You can trust that the tip of trunk is reasonably stable. Nevertheless, I'm sure if hundreds of you start testing the latest code, some of you will run across various minor issues, issues that we would prefer to fix prior to 1.25 instead of after. Therefore, do please test. Thanks. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
2012/11/30 Richard Hipp d...@sqlite.org: I have put up a change log for Fossil version 1.25 with a tentative release date of 2012-12-19 http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki I am reading in the ChangeLog: Disallow invalid UTF8 characters (such as overlength characters or characters in the surrogate pair range) in filename. The current code disallows characters in the surrogate pair range, characters U+ and Characters in the Private area, but not overlength characters or invalid UTF-8 byte sequences. Of course those two possibilities could still be added. Regards, Jan Nijtmans ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil version 1.25 scheduled.
On Fri, Nov 30, 2012 at 5:09 PM, Dmitry Chestnykh dmi...@codingrobots.comwrote: Regarding this change: - Enhance the fossil server DIRECTORY command to serve static content files contained in DIRECTORY. It now allows downloading the repo itself. Thanks for noticing this huge security hole. The fossil server command now refuses to deliver any file as static content that contains .fossil anywhere in its name. That prevents repositories and their journal files from being delivered as static content. I wonder if it should be even more restrictive - and only deliver static content that ends in some well-known subset of suffices: *.html, *.htm, *.jpg, *.jpeg, *.gif, *,png, *.txt, *.css, *.js e.g fossil server ~/fossils (I have Fossil clone located at ~/fossil/pub/fossil.fossil) http://127.0.0.1:8080/pub/fossil/ will show the repository, as intended, while http://127.0.0.1:8080/pub/fossil.fossil will download it. Oops. -Dmitry PS Clicking on nodes for diff is *awesome*! On Fri, Nov 30, 2012 at 10:16 PM, Richard Hipp d...@sqlite.org wrote: I have put up a change log for Fossil version 1.25 with a tentative release date of 2012-12-19 http://www.fossil-scm.org/fossil/doc/trunk/www/changes.wiki There has been a *lot* of change since 1.24. Please test the trunk version of Fossil as you are able to. Report any issues to this mailing list, or file a ticket. We want 1.25 to be a good release, but we need your help in testing in order to accomplish that. FWIW, we do eat our own dogfood. The Fossil executable that runs the Fossil website gets updated to the tip of trunk roughly every day. The same executable also runs http://www.sqlite.org/ and several other websites. And all of my personal machines (linux, mac, and windows) are running the very latest Fossil code. If there were serious problems with the latest Fossil code, I would be doomed. You can trust that the tip of trunk is reasonably stable. Nevertheless, I'm sure if hundreds of you start testing the latest code, some of you will run across various minor issues, issues that we would prefer to fix prior to 1.25 instead of after. Therefore, do please test. Thanks. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- -- Dmitry Chestnykh http://www.codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users