[PATCH] httprepo: long arguments support (issue2126)

Laurens Holst laurens.nospam at grauw.nl
Sun Mar 27 17:18:17 CDT 2011 

Op 27-3-2011 11:21, Steven Brown schreef:
> On 21 March 2011 22:54, Laurens Holst<laurens.nospam at grauw.nl>  wrote:
>> Op 21-03-11 08:30, Dirkjan Ochtman schreef:
>>> On Mon, Mar 21, 2011 at 02:39, Matt Mackall<mpm at selenic.com>    wrote:
>>>> Let's try to get more discussion on whether POST is acceptable and
>>>> anyone is using POST filtering.
>>> AFAICT restricting push access by filtering out POST requests is a
>>> fairly common setup.
>> Yes I do that too, it was the setup described on the wiki. And fairly
>> convenient I must say (and properly RESTful :)).
>>
>> ~Laurens
>>
> It would still be possible to authenticate on push like this:
>
> RewriteEngine on
> RewriteCond %{QUERY_STRING} cmd=unbundle
> RewriteRule .* - [E=hg_auth:1]
>
> <Location /hg>
>      Order Allow,Deny
>      Allow from env=!hg_auth
>      AuthType Basic
>      AuthName "Mercurial repositories"
>      AuthUserFile /home/user/hg/hgusers
>      Require valid-user
>      Satisfy Any
> </Location>

If I understand this correctly, you’re basically saying, POST is not 
authenticated unless it’s an unbundle command?

I don’t think this is good. This means that if you want to add a new 
command that alters the server, all users would have to update their 
servers or they would be insecure. Effectively this means that you can’t 
add new commands, and you’re putting a severe restriction on Mercurial’s 
future extensibility.

REST architecture makes security easy by having clear definitions for 
the HTTP verbs. Only GET commands are guaranteed not to mutate the 
server which is why you can safely exempt them from authentication.

Also the opposite of what you did, adding authentication exceptions for 
certain POST commands is dangerous, as I could f.e. add two &cmd URL 
parameters or do URL encoding tricks to fool the detection into allowing 
me authentication-less access.

It is really best to just always authenticate POST.

~Laurens

-- 
~~ Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~
Laurens Holst, developer, Utrecht, the Netherlands
Website: www.grauw.nl. Backbase employee; www.backbase.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6034 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://selenic.com/pipermail/mercurial-devel/attachments/20110328/3cfcf859/attachment.bin>

More information about the Mercurial-devel mailing list