[PATCH 5 of 6 V3] hgweb: blacklist heavyweight revset functions in hgweb search
Kevin Bullock
kbullock+mercurial at ringworld.org
Sat Aug 31 23:54:34 CDT 2013
On 22 Aug 2013, at 10:11 AM, Alexander Plavin wrote:
> # HG changeset patch
> # User Alexander Plavin <alexander at plav.in>
> # Date 1374269558 -14400
> # Sat Jul 20 01:32:38 2013 +0400
> # Node ID 3767921c4b274499fe4254bdafef56bba346b088
> # Parent 5734dd4b2bd2a859a2ef0be6e0f4485f028abf6e
> hgweb: blacklist heavyweight revset functions in hgweb search
>
> Disallow usage of functions 'contains' and 'grep'.
It will be verbose, but I'd rather have a whitelist of known-safe(-ish) revsets. That way when we add the next (possibly unexpectedly!) compute-intensive revset, we won't be opening our users up to new DoS attacks because we forgot to blacklist it.
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
More information about the Mercurial-devel
mailing list