[PATCH] hgweb: require files and directory links to begin with 'path:'

Angel Ezquerra angel.ezquerra at gmail.com
Thu Mar 21 06:30:15 CDT 2013 

On Thu, Mar 21, 2013 at 11:31 AM, Pierre-Yves David
<pierre-yves.david at logilab.fr> wrote:
> On Wed, Mar 20, 2013 at 11:15:41PM +0100, Angel Ezquerra wrote:
>> # HG changeset patch
>> # User Angel Ezquerra <angel.ezquerra at gmail.com>
>> # Date 1363809088 -3600
>> #      Wed Mar 20 20:51:28 2013 +0100
>> # Node ID 84f24bbe0c3e97e4e1753c894e3c963d1e6c6d63
>> # Parent  136516cd3d6902aaa2edc9befc65763c56a6dbfc
>> hgweb: require files and directory links to begin with 'path:'
>>
>> If they don't the server will reply with a 403 HTTP forbidden error. This gets
>> rid of the need to explicitly check for the known pattern types.
>
> I really fails to grasp why you complexify for whole argument process for the
> shake of being able to replay a 403 in some rare error case.
>
> In my opinion, the "file" argument should be documented as a plain path and
> processed as such. It make not sense to allows any pattern here. They should
> not be recognised. Returning a 404 in this case is fine by me for the shake of
> simplicity.

I'm confused. I thought this patch _simplified_ the code. If we did
not have to remove the extra starting slash the code would be as
simple as doing a simple file.startswith('path:') check.

Note that without this check archival will happily return an empty
archive. The user cannot tell whether its input patter is wrong or the
file simply doesn't exist.

>> Note that the templater has access to a "path" variable which is a path to the
>> current file or directory relative to the root of the repository, and which
>> begins with a "/". However archival.archive() expects 'path:' to not begin with
>> a '/'. To cope with this webcommands.archive must remove the extra '/' which is
>> passed by the templater.
>>
>> diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py
>> --- a/mercurial/hgweb/webcommands.py
>> +++ b/mercurial/hgweb/webcommands.py
>> @@ -822,12 +822,11 @@
>>      file = req.form.get('file', None)
>>      if file:
>>          file = file[0]
>> -        patandfile = file.split(':')
>> -        if len(patandfile) > 1 and patandfile[0].lower() in ('glob', 'relglob',
>> -                'path', 'relpath', 're', 'relre', 'set'):
>> -            msg = 'Archive pattern not allowed: %s' % file
>> +        if not file.lower().startswith('path:/'):
>> +            msg = "Archive path must begin with 'path:'"
>>              raise ErrorResponse(HTTP_FORBIDDEN, msg)
>> -        pats = ['path:' + file]
>> +        # The file path has an extra "/" that must be removed
>> +        pats = ['path:' + file[6:]]
>
> consider using lstrip('/')
>

Neat, I did not know about that.

Should I resend the patch with this little change or are you agains
the patch as a whole?

Cheers,

Angel

More information about the Mercurial-devel mailing list