[PATCH 5 of 6 V3] hgweb: blacklist heavyweight revset functions in hgweb search
Alexander Plavin
alexander at plav.in
Sun Sep 1 01:25:18 CDT 2013
01.09.2013, 08:54, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
> On 22 Aug 2013, at 10:11 AM, Alexander Plavin wrote:
>
>> # HG changeset patch
>> # User Alexander Plavin <alexander at plav.in>
>> # Date 1374269558 -14400
>> # Sat Jul 20 01:32:38 2013 +0400
>> # Node ID 3767921c4b274499fe4254bdafef56bba346b088
>> # Parent 5734dd4b2bd2a859a2ef0be6e0f4485f028abf6e
>> hgweb: blacklist heavyweight revset functions in hgweb search
>>
>> Disallow usage of functions 'contains' and 'grep'.
>
> It will be verbose, but I'd rather have a whitelist of known-safe(-ish) revsets. That way when we add the next (possibly unexpectedly!) compute-intensive revset, we won't be opening our users up to new DoS attacks because we forgot to blacklist it.
Agree, makes sense. And what about moving this part of code to revset.py?
>
> pacem in terris / мир / शान्ति / سَلاَم / 平和
> Kevin R. Bullock
More information about the Mercurial-devel
mailing list