[PATCH 2 of 3 V6] hgweb: teach archive how to download a specific directory or file

Angel Ezquerra angel.ezquerra at gmail.com
Wed Mar 20 10:34:52 CDT 2013


On Wed, Mar 20, 2013 at 4:29 PM, Kevin Bullock
<kbullock+mercurial at ringworld.org> wrote:
> On 20 Mar 2013, at 9:38 AM, Pierre-Yves David wrote:
>
>> On Wed, Mar 13, 2013 at 09:34:08AM +0100, Angel Ezquerra wrote:
>>> Also, I personally like the fact that we give a 403 error. IMHO it
>>> tells you exactly what is the problem without compromising the
>>> security of the server because we append "path:" to the requested file
>>> path anyway (unless there is some way to feed '\b' into the requested
>>> path?).
>>>
>>> So I'd vote to take the latest version of my patch series (V7!) which
>>> explicitly checks for known patterns, and I would deal with the
>>> possible archive.archival bug separately.
>>
>> Black-listing security does not work. extension and futur version may
>> (will) add extra patterns ("et bim"). I vote for requesting plain file
>> name all the time. this means inconditionnaly adding "path:" in the
>> front of the parameter.
>> This will returns 404 on any pattern (including "path:" but plain
>> pattern are requested)
>
> The blacklist is not a security mechanism. It's a nicety to make hgweb respond with a 403 Forbidden instead of an empty archive.
>
> Can we interrogate match.py for its known pattern types, and blacklist those automatically? Looks like it would require some refactoring in match.py, but it would save us some maintenance issues later.

I think this would be a very nice solution.

> We should also fix archive.archival to abort instead of creating an empty archive, and make hgweb return a 404 if it does.

Agreed.

Angel


More information about the Mercurial-devel mailing list