[PATCH] hgweb: require files and directory links to begin with 'path:'

[Angel Ezquerra]

# HG changeset patch
# User Angel Ezquerra <angel.ezquerra at gmail.com>
# Date 1363809088 -3600
#      Wed Mar 20 20:51:28 2013 +0100
# Node ID 84f24bbe0c3e97e4e1753c894e3c963d1e6c6d63
# Parent  136516cd3d6902aaa2edc9befc65763c56a6dbfc
hgweb: require files and directory links to begin with 'path:'

If they don't the server will reply with a 403 HTTP forbidden error. This gets
rid of the need to explicitly check for the known pattern types.

Note that the templater has access to a "path" variable which is a path to the
current file or directory relative to the root of the repository, and which
begins with a "/". However archival.archive() expects 'path:' to not begin with
a '/'. To cope with this webcommands.archive must remove the extra '/' which is
passed by the templater.

diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py
+++ b/mercurial/hgweb/webcommands.py
@@ -822,12 +822,11 @@
     file = req.form.get('file', None)
     if file:
         file = file[0]
-        patandfile = file.split(':')
-        if len(patandfile) > 1 and patandfile[0].lower() in ('glob', 'relglob',
-                'path', 'relpath', 're', 'relre', 'set'):
-            msg = 'Archive pattern not allowed: %s' % file
+        if not file.lower().startswith('path:/'):
+            msg = "Archive path must begin with 'path:'"
             raise ErrorResponse(HTTP_FORBIDDEN, msg)
-        pats = ['path:' + file]
+        # The file path has an extra "/" that must be removed
+        pats = ['path:' + file[6:]]
 
     mimetype, artype, extension, encoding = web.archive_specs[type_]
     headers = [
diff --git a/mercurial/templates/coal/map b/mercurial/templates/coal/map
--- a/mercurial/templates/coal/map
+++ b/mercurial/templates/coal/map
@@ -224,7 +224,7 @@
 index = ../paper/index.tmpl
 archiveentry = '
   <li>
-    <a href="{url|urlescape}archive/{node|short}{extension|urlescape}{ifeq(path,'/','',path|urlescape)}">{type|escape}</a>
+    <a href="{url|urlescape}archive/{node|short}{extension|urlescape}{ifeq(path,'/','','path:{path|urlescape}')}">{type|escape}</a>
   </li>'
 notfound = ../paper/notfound.tmpl
 error = ../paper/error.tmpl
diff --git a/mercurial/templates/gitweb/map b/mercurial/templates/gitweb/map
--- a/mercurial/templates/gitweb/map
+++ b/mercurial/templates/gitweb/map
@@ -289,7 +289,7 @@
     <td class="link">
       <a href="{url|urlescape}file/{node|short}/{file|urlescape}{sessionvars%urlparameter}">file</a> | <a href="{url|urlescape}diff/{node|short}/{file|urlescape}{sessionvars%urlparameter}">diff</a> | <a href="{url|urlescape}annotate/{node|short}/{file|urlescape}{sessionvars%urlparameter}">annotate</a> {rename%filelogrename}</td>
     </tr>'
-archiveentry = ' | <a href="{url|urlescape}archive/{node|short}{extension}{ifeq(path,'/','',path|urlescape)}">{type|escape}</a> '
+archiveentry = ' | <a href="{url|urlescape}archive/{node|short}{extension}{ifeq(path,'/','','/path:{path|urlescape}')}">{type|escape}</a> '
 indexentry = '
   <tr class="parity{parity}">
     <td>
diff --git a/mercurial/templates/monoblue/map b/mercurial/templates/monoblue/map
--- a/mercurial/templates/monoblue/map
+++ b/mercurial/templates/monoblue/map
@@ -245,7 +245,7 @@
       {rename%filelogrename}
     </td>
   </tr>'
-archiveentry = '<li><a href="{url|urlescape}archive/{node|short}{extension}{ifeq(path,'/','',path|urlescape)}">{type|escape}</a></li>'
+archiveentry = '<li><a href="{url|urlescape}archive/{node|short}{extension}{ifeq(path,'/','','/path:{path|urlescape}')}">{type|escape}</a></li>'
 indexentry = '
   <tr class="parity{parity}">
     <td><a href="{url|urlescape}{sessionvars%urlparameter}">{name|escape}</a></td>
diff --git a/mercurial/templates/paper/map b/mercurial/templates/paper/map
--- a/mercurial/templates/paper/map
+++ b/mercurial/templates/paper/map
@@ -232,7 +232,7 @@
 index = index.tmpl
 archiveentry = '
   <li>
-    <a href="{url|urlescape}archive/{node|short}{extension|urlescape}{ifeq(path,'/','',path|urlescape)}">{type|escape}</a>
+    <a href="{url|urlescape}archive/{node|short}{extension|urlescape}{ifeq(path,'/','','/path:{path|urlescape}')}">{type|escape}</a>
   </li>'
 notfound = notfound.tmpl
 error = error.tmpl