[PATCH] httprepo: long arguments support (issue2126)
Steven Brown
stevengbrown at gmail.com
Sun Mar 27 07:35:32 CDT 2011
On 27 March 2011 18:27, Laurens Holst <laurens.nospam at grauw.nl> wrote:
> Op 27-3-2011 11:21, Steven Brown schreef:
>>
>> On 21 March 2011 22:54, Laurens Holst<laurens.nospam at grauw.nl> wrote:
>>>
>>> Op 21-03-11 08:30, Dirkjan Ochtman schreef:
>>>>
>>>> On Mon, Mar 21, 2011 at 02:39, Matt Mackall<mpm at selenic.com> wrote:
>>>>>
>>>>> Let's try to get more discussion on whether POST is acceptable and
>>>>> anyone is using POST filtering.
>>>>
>>>> AFAICT restricting push access by filtering out POST requests is a
>>>> fairly common setup.
>>>
>>> Yes I do that too, it was the setup described on the wiki. And fairly
>>> convenient I must say (and properly RESTful :)).
>>>
>>> ~Laurens
>>>
>> It would still be possible to authenticate on push like this:
>>
>> RewriteEngine on
>> RewriteCond %{QUERY_STRING} cmd=unbundle
>> RewriteRule .* - [E=hg_auth:1]
>>
>> <Location /hg>
>> Order Allow,Deny
>> Allow from env=!hg_auth
>> AuthType Basic
>> AuthName "Mercurial repositories"
>> AuthUserFile /home/user/hg/hgusers
>> Require valid-user
>> Satisfy Any
>> </Location>
>>
>> This new configuration will also work for existing servers, without
>> upgrading Mercurial. So it could be added to the Wiki as soon as this
>> patch is accepted, and POST filtering could be deprecated.
>>
>> For existing servers using POST filtering:
>> - Make a one-time change to the Apache configuration.
>> - This change can be made at any time, even before upgrading Mercurial.
>> - If the change is not made before upgrading Mercurial, pushes will
>> still be authenticated, so there is no security concern. However,
>> users will be prompted for authentication when using the clone,
>> incoming, outgoing or pull commands until the configuration is
>> updated.
>
> Would be better if it only did that when the list of heads gets too long.
> Then the current configurations will keep working most of the time (I never
> ran into the problem myself).
>
> ~Laurens
>
> --
> ~~ Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~
> Laurens Holst, developer, Utrecht, the Netherlands
> Website: www.grauw.nl. Backbase employee; www.backbase.com
>
>
>
Idea: We limit the query string length to 2048 bytes, and switch to a POST
request if it is longer. This will allow long arguments to be used with
Apache and IIS.
(See the default maxQueryString at
http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits)
If we get bug reports for more restrictive web servers, we can then further
reduce the maximum query string size. Hopefully, by this time, most web
servers will have the new configuration and will be unaffected.
More information about the Mercurial-devel
mailing list