[issue778] hooks not run in hgwebdir, but works in global hgrc
Matt Mackall
mpm at selenic.com
Fri Oct 12 11:15:16 CDT 2007
On Fri, Oct 12, 2007 at 06:42:29PM +1000, James Mills wrote:
> On Fri, Oct 12, 2007 at 06:45:26AM -0000, nfiedler wrote:
> >
> > New submission from nfiedler <nathan.fiedler at gmail.com>:
> >
> > If I try defining a changegroup hook in the .hg/hgrc file within my repository
> > that is served via hgwebdir, the hook is not invoked when I issue a push to that
> > repository over http.
>
> I also experience this with current 0.9.4 release :/
This is a security feature.
Mercurial doesn't trust most settings in hgrc files that are not owned
by the current user. If it did, Alice could add an extension to
.hg/hgrc that would steal Bob's data when Bob ran "hg log" in her
directory. Similar problems are possible with hooks as well.
Because Apache typically runs CGI scripts as nobody, hgweb quite often
doesn't trust most of your .hgrc settings.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list