[PATCH 1 of 4] schemas: add schemas to repositories

Augie Fackler raf at durin42.com
Fri Aug 9 10:04:00 CDT 2013


On Thu, Aug 08, 2013 at 08:36:29AM +0200, Angel Ezquerra wrote:
> On Thu, Aug 8, 2013 at 1:43 AM, Durham Goode <durham at fb.com> wrote:
> > On 8/7/13 4:23 PM, "Angel Ezquerra" <angel.ezquerra at gmail.com> wrote:
> >
> >>
> >>On Aug 8, 2013 12:40 AM, "Durham Goode" <durham at fb.com> wrote:
> >>>
> >>>I wasn't aware of the projrc extension, but I did discuss that concept
> >>> internally and with Matt. I think the problem is that it just isn't
> >>>secure
> >>> enough.  If one of our users is dumb and sets up "servers = *, include =
> >>> *", they could execute arbitrary code from bitbucket within our network.
> >>>
> >>> Durham
> >>I understand your concern but the extension does not blindly accept new
> >>configurations. In fact I think it is actually pretty safe and it has
> >>been developed to be as safe as possible. In particular by default the
> >>extension requires confirmation
> >> whenever the projrc file changes. Currently it does not show which
> >>settings changed but it could do so. It could also require explicit
> >>confirmation before accepting changes to the "dangerous" sections.
> >>Additionally the extension could be tweaked to be even safer. For example
> >>the extension could be changed so that it would only accept projrc
> >>settings from your internal servers. Another option would be to make it
> >>necessary to explicitly include
> >> dangerous settings such as hooks and extensions (i.e. include = * would
> >>only include safe settings).
> >>On the other hand I feel that your proposed schemas functionality is a
> >>bit narrow to be included as part of mercurial core. Distributing a
> >>common mercurial config is a common problem. IMHO it would be nice if
> >>mercurial offered a generic solution
> >> to that problem. I don't think your proposal is such a solution.
> >>Angel
> >
> >
> > It's totally possible the schema stuff isn't appropriate for upstream
> > core. I'm open to that response from the community.
>
> Maybe I was too categorical. What I meant to say is that your proposal
> seems a bit too narrow in scope. It would be nice if mercurial had a
> built-in, secure way to distribute (default) settings.

The difficulty here is that many config knobs can lead to arbitrary
code exection (eg [alias] stuff).

>
> That being said to a certain extent this is already the case for many
> users, since TortoiseHg bundles the projrc extension.

It's off by default, right?

>
> Cheers,
>
> Angel
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel


More information about the Mercurial-devel mailing list