[issue979] GET request with cmd=unbundle causes exception

Maxim Dounin mdounin at mdounin.ru
Tue Feb 12 10:16:48 CST 2008 

Hello!

On Tue, Feb 12, 2008 at 02:58:48PM -0000, Marti wrote:

>New submission from Marti <intgr at juffo.org>:
>
>When doing a GET request to hgweb for the unbundle command, it causes an
>unhandled exception because the Content-length HTTP header is not set.
>
>See e.g. http://www.eu.kernel.org/hg/linux-2.6/?cmd=unbundle

Just a side note:

Having tracebacks-to-browser enabled by default is security issue, 
since they may expose sensitive information (not necessarily 
related to hg or repo itself, e.g. httponly user cookies - thus 
allowing attacker to bypass their httponly'ness).

I think it's a good idea to comment out cgitb by default. 
Suggested patch attached.

Maxim Dounin
-------------- next part --------------
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1202832465 -10800
# Node ID 13d5b03c0430abbf9fca32519b62fd176dd7579a
# Parent  89c70d496175b2e359161a85a66e59fcc0f53012
hgweb: disable cgitb by default

diff -r 89c70d496175 -r 13d5b03c0430 hgweb.cgi
--- a/hgweb.cgi	Sun Feb 10 13:19:24 2008 +0100
+++ b/hgweb.cgi	Tue Feb 12 19:07:45 2008 +0300
@@ -9,9 +9,9 @@
 # enable importing on demand to reduce startup time
 from mercurial import demandimport; demandimport.enable()
 
-# send python tracebacks to the browser if an error occurs:
-import cgitb
-cgitb.enable()
+# Uncomment to send python tracebacks to the browser if an error occurs:
+#import cgitb
+#cgitb.enable()
 
 # If you'd like to serve pages with UTF-8 instead of your default
 # locale charset, you can do so by uncommenting the following lines.
diff -r 89c70d496175 -r 13d5b03c0430 hgwebdir.cgi
--- a/hgwebdir.cgi	Sun Feb 10 13:19:24 2008 +0100
+++ b/hgwebdir.cgi	Tue Feb 12 19:07:45 2008 +0300
@@ -9,9 +9,9 @@
 # enable importing on demand to reduce startup time
 from mercurial import demandimport; demandimport.enable()
 
-# send python tracebacks to the browser if an error occurs:
-import cgitb
-cgitb.enable()
+# Uncomment to send python tracebacks to the browser if an error occurs:
+#import cgitb
+#cgitb.enable()
 
 # If you'd like to serve pages with UTF-8 instead of your default
 # locale charset, you can do so by uncommenting the following lines.

More information about the Mercurial-devel mailing list