Re: [fossil-users] XSS attack and fossil hosting services

On Apr 2, 2017, at 9:28 PM, Eduard wrote: > > An attacker can place malicious javascript at the top of every page Certainly. > they could, for example, change the victim's password Doesn’t the login cookie prevent the hosted user from doing that to any but their own repository, at least throu

[fossil-users] XSS attack and fossil hosting services

Hi, I recently realized that fossil repository hosting websites (such as chiselapp and hydra ) are vulnerable to arbitrary HTML injection (XSS) as soon as they give (untrusted) users the 'setup' capability to the repositories they create. A

Re: [fossil-users] REST API and client for same

On Apr 2, 2017, at 2:48 PM, Stephan Beal wrote: > > a) that's essentially what the JSON API is …minus the lightweight Subversion-like client, of course. But, it’s good to know that most of the work is already done. > with the notable exception of missing blob support (since JSON has no > defi

Re: [fossil-users] REST API and client for same

On Sun, Apr 2, 2017 at 8:58 PM, Warren Young wrote: > In a conversation off-list, I had an idea that might solve several > existing problems. What if the current HTTP URL interface of Fossil were > expanded to be able to do everything that Fossil internally can do, such > that it eventually impl

[fossil-users] REST API and client for same

In a conversation off-list, I had an idea that might solve several existing problems. What if the current HTTP URL interface of Fossil were expanded to be able to do everything that Fossil internally can do, such that it eventually implements REST API interface that is functionally equivalent t