[PATCH 2 of 3 V6] hgweb: teach archive how to download a specific directory or file

[Kevin Bullock]

On 12 Mar 2013, at 4:47 PM, Angel Ezquerra wrote:

> On Tue, Mar 12, 2013 at 6:29 PM, Pierre-Yves David
> <pierre-yves.david at logilab.fr> wrote:
>> On Wed, Feb 27, 2013 at 06:06:33PM +0100, Angel Ezquerra wrote:
>>> +        if ':' in file:
>>> +            msg = 'Archive pattern not allowed: %s' % file
>>> +            raise ErrorResponse(HTTP_FORBIDDEN, msg)
>>> +        pats = ['path:' + file]
>> 
>> What about file with ":" is there name ?
> 
> I'd say that a user that created such a file deserves to not be able
> to download it ;-)
> 
> Jokes aside, the alternative is to explicitly test for the different
> patterns (e.g. relpath:, relre:, etc). The problem with that is that
> if we ever introduce a new pattern we may forget to update this filter
> and then let a malicious user use such a pattern.
> 
> So I don't know what is the best solution to this... Suggestions?

If you unconditionally prefix the filename with 'path:', it will be interpreted as a path (even if it contains a ':' later in the name). Then you'd presumably fall back on a 'file not found' error instead of the 403 Forbidden, which might even be preferable from a security standpoint.

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock