[issue1307] hgwebdir shows full URL to repo: huge security problem
Jakob van Bethlehem
mercurial-bugs at selenic.com
Tue Sep 23 07:30:05 CDT 2008
New submission from Jakob van Bethlehem <jakobb at astro.rug.nl>:
Being rather new to hg, this issue may have been noted before, but I couldn't
find it.
I have set up a collection of repos to service by hgwebdir.cgi, using something
like:
[collections]
/hg_repos = /url/to/hg_repos
It works like a charm, but I noticed that when I click to go to one of the
repositories, the FULL /url/to/hg_repos is shown in the address of the browser!
This is a huge security problem, because suddenly I show the whole world the
structure of my system, which I definitely don't want! A much better behaviour
in my opinion would be that only the virtual path is shown and the translation
to the full path should happen fully internally, hidden from the user.
----------
messages: 7186
nosy: jakob
priority: critical
status: unread
title: hgwebdir shows full URL to repo: huge security problem
topic: security
____________________________________________________
Mercurial issue tracker <mercurial-bugs at selenic.com>
<http://www.selenic.com/mercurial/bts/issue1307>
____________________________________________________
More information about the Mercurial-devel
mailing list