[PATCH] hgweb: require files and directory links to begin with 'path:'

Pierre-Yves David pierre-yves.david at logilab.fr
Thu Mar 21 05:31:41 CDT 2013


On Wed, Mar 20, 2013 at 11:15:41PM +0100, Angel Ezquerra wrote:
> # HG changeset patch
> # User Angel Ezquerra <angel.ezquerra at gmail.com>
> # Date 1363809088 -3600
> #      Wed Mar 20 20:51:28 2013 +0100
> # Node ID 84f24bbe0c3e97e4e1753c894e3c963d1e6c6d63
> # Parent  136516cd3d6902aaa2edc9befc65763c56a6dbfc
> hgweb: require files and directory links to begin with 'path:'
> 
> If they don't the server will reply with a 403 HTTP forbidden error. This gets
> rid of the need to explicitly check for the known pattern types.

I really fails to grasp why you complexify for whole argument process for the
shake of being able to replay a 403 in some rare error case.

In my opinion, the "file" argument should be documented as a plain path and
processed as such. It make not sense to allows any pattern here. They should
not be recognised. Returning a 404 in this case is fine by me for the shake of
simplicity.


> Note that the templater has access to a "path" variable which is a path to the
> current file or directory relative to the root of the repository, and which
> begins with a "/". However archival.archive() expects 'path:' to not begin with
> a '/'. To cope with this webcommands.archive must remove the extra '/' which is
> passed by the templater.
> 
> diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py
> --- a/mercurial/hgweb/webcommands.py
> +++ b/mercurial/hgweb/webcommands.py
> @@ -822,12 +822,11 @@
>      file = req.form.get('file', None)
>      if file:
>          file = file[0]
> -        patandfile = file.split(':')
> -        if len(patandfile) > 1 and patandfile[0].lower() in ('glob', 'relglob',
> -                'path', 'relpath', 're', 'relre', 'set'):
> -            msg = 'Archive pattern not allowed: %s' % file
> +        if not file.lower().startswith('path:/'):
> +            msg = "Archive path must begin with 'path:'"
>              raise ErrorResponse(HTTP_FORBIDDEN, msg)
> -        pats = ['path:' + file]
> +        # The file path has an extra "/" that must be removed
> +        pats = ['path:' + file[6:]]

consider using lstrip('/')

-- 
Pierre-Yves David

http://www.logilab.fr/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://selenic.com/pipermail/mercurial-devel/attachments/20130321/b0a9e0ab/attachment.pgp>


More information about the Mercurial-devel mailing list