[PATCH 2 of 3 V6] hgweb: teach archive how to download a specific directory or file
Kevin Bullock
kbullock+mercurial at ringworld.org
Tue Mar 12 17:08:29 CDT 2013
On 12 Mar 2013, at 4:47 PM, Angel Ezquerra wrote:
> On Tue, Mar 12, 2013 at 6:29 PM, Pierre-Yves David
> <pierre-yves.david at logilab.fr> wrote:
>> On Wed, Feb 27, 2013 at 06:06:33PM +0100, Angel Ezquerra wrote:
>>> + if ':' in file:
>>> + msg = 'Archive pattern not allowed: %s' % file
>>> + raise ErrorResponse(HTTP_FORBIDDEN, msg)
>>> + pats = ['path:' + file]
>>
>> What about file with ":" is there name ?
>
> I'd say that a user that created such a file deserves to not be able
> to download it ;-)
>
> Jokes aside, the alternative is to explicitly test for the different
> patterns (e.g. relpath:, relre:, etc). The problem with that is that
> if we ever introduce a new pattern we may forget to update this filter
> and then let a malicious user use such a pattern.
>
> So I don't know what is the best solution to this... Suggestions?
If you unconditionally prefix the filename with 'path:', it will be interpreted as a path (even if it contains a ':' later in the name). Then you'd presumably fall back on a 'file not found' error instead of the 403 Forbidden, which might even be preferable from a security standpoint.
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
More information about the Mercurial-devel
mailing list