[PATCH V3] hgweb: restrict usage of regular expressions in search
Kevin Bullock
kbullock+mercurial at ringworld.org
Sat Aug 31 22:56:39 CDT 2013
On 16 Aug 2013, at 4:02 PM, Alexander Plavin wrote:
> 2013/8/17 Alexander Plavin <alexander at plav.in>:
>> # HG changeset patch
>> # User Alexander Plavin <alexander at plav.in>
>> # Date 1376650882 -14400
>> # Fri Aug 16 15:01:22 2013 +0400
>> # Node ID 0cf9f8749e3d031259a6c3ff131b4945d1dc3eeb
>> # Parent d7684354b9a2755149fc8b9740d2770634d3185e
>> hgweb: restrict usage of regular expressions in search
>>
>> If the search query has strings defining revset regular expressions
>> (those starting with 're:'), revset syntax is disabled. It eliminates the
>> possibility of ReDoS.
>>
>> diff -r d7684354b9a2 -r 0cf9f8749e3d mercurial/hgweb/webcommands.py
>> --- a/mercurial/hgweb/webcommands.py Wed Aug 07 01:16:14 2013 +0400
>> +++ b/mercurial/hgweb/webcommands.py Fri Aug 16 15:01:22 2013 +0400
>> @@ -9,7 +9,7 @@
>> import webutil
>> from mercurial import error, encoding, archival, templater, templatefilters
>> from mercurial.node import short, hex, nullid
>> -from mercurial.util import binary
>> +from mercurial.util import binary, any
>> from common import paritygen, staticfile, get_contact, ErrorResponse
>> from common import HTTP_OK, HTTP_FORBIDDEN, HTTP_NOT_FOUND
>> from mercurial import graphmod, patch
>> @@ -175,6 +175,10 @@
>> # no revset syntax used
>> return 'kw'
>>
>> + if any((token, (value or '')[:3]) == ('string', 're:')
>
> Now 'any' is used legitimately here, as it's imported at the top.
> However, don't know what to do with the check code test failing here
> due to use of 'any'.
I suspect the correct approach would be to change the import line to: `from mercurial import util`, and then call `util.any(...)`.
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
More information about the Mercurial-devel
mailing list