[Bug 4071] New: hgweb returns HTTP200 on invalid command

mercurial-bugs at selenic.com mercurial-bugs at selenic.com
Sat Oct 26 17:35:03 CDT 2013 

http://bz.selenic.com/show_bug.cgi?id=4071

          Priority: normal
            Bug ID: 4071
                CC: mercurial-devel at selenic.com
          Assignee: bugzilla at selenic.com
           Summary: hgweb returns HTTP200 on invalid command
          Severity: bug
    Classification: Unclassified
                OS: Linux
          Reporter: immerrr+mercurial at gmail.com
          Hardware: PC
            Status: UNCONFIRMED
           Version: 2.7.2
         Component: hgweb
           Product: Mercurial

Quite a while ago, when playing with ReviewBoard code review tool [1], I've
come across a strange behaviour from ReviewBoard/hgweb pair: if I tried to post
a review from a revision that I had not yet pushed into the repository, RB
started crashing when trying to access this review [2] and things didn't get
back to normal after the push.  So I've traced the steps that led to the
situation and here they are:

- RB, trying to display base revision REV for a file FILE, fetched it via HTTP:

  https://REPO_URI/PATH/TO/REPO/raw-file/REV/FNAME

- the request failed because REV was not yet in the repo

- RB then falled back to bitbucket URI scheme (changing 'raw-file' to 'raw'):

  https://REPO_URI/PATH/TO/REPO/raw/REV/FNAME

- and here's the glitch: instead of reporting a 'wrong command' error,
  hgweb returned HTTP200 with repo summary page.

- RB then interpreted the HTML as a valid file content, tried to apply the
patch
  to it and failed miserably

- and then since RB caches all requests in memcached, pushing the missing
  revision into the repo didn't help, because content of FILE at REV was already
  in cache and RB didn't bother rereading it.

Here's probably the source of disconcert in hgweb_mod.py (hg-2.7.2):

    # avoid accepting e.g. style parameter as command
    if util.safehasattr(webcommands, cmd):
        req.form['cmd'] = [cmd]
    else:
        cmd = ''

So, AFAIU, if a "cmd" isn't found among "webcommands" it's being replaced
by an empty string and somewhere later on it's replaced with what seems a
default page for given template which causes the observed redirect.

Now, OK, the issue is probably on RB's side and they could fix it by
discriminating between bitbucket and hgweb servers, or rereading the file
content if the patch doesn't apply cleanly, or actually using Hg's protocol for
interaction, that's true.

But it does feel like it's a bug when an incorrect command redirects silently
instead of, say, returning HTTP403 or HTTP500.  The code has been there since
at least 1.4, am I missing something obvious?

1. reviewboard.org
2. http://code.google.com/p/reviewboard/issues/detail?id=2492

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Mercurial-devel mailing list