[PATCH V3] hgweb: restrict usage of regular expressions in search

Alexander Plavin alexander at plav.in
Sun Sep 1 01:26:52 CDT 2013 


01.09.2013, 07:56, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
> On 16 Aug 2013, at 4:02 PM, Alexander Plavin wrote:
>
>>  2013/8/17 Alexander Plavin <alexander at plav.in>:
>>>  # HG changeset patch
>>>  # User Alexander Plavin <alexander at plav.in>
>>>  # Date 1376650882 -14400
>>>  #      Fri Aug 16 15:01:22 2013 +0400
>>>  # Node ID 0cf9f8749e3d031259a6c3ff131b4945d1dc3eeb
>>>  # Parent  d7684354b9a2755149fc8b9740d2770634d3185e
>>>  hgweb: restrict usage of regular expressions in search
>>>
>>>  If the search query has strings defining revset regular expressions
>>>  (those starting with 're:'), revset syntax is disabled. It eliminates the
>>>  possibility of ReDoS.
>>>
>>>  diff -r d7684354b9a2 -r 0cf9f8749e3d mercurial/hgweb/webcommands.py
>>>  --- a/mercurial/hgweb/webcommands.py    Wed Aug 07 01:16:14 2013 +0400
>>>  +++ b/mercurial/hgweb/webcommands.py    Fri Aug 16 15:01:22 2013 +0400
>>>  @@ -9,7 +9,7 @@
>>>  import webutil
>>>  from mercurial import error, encoding, archival, templater, templatefilters
>>>  from mercurial.node import short, hex, nullid
>>>  -from mercurial.util import binary
>>>  +from mercurial.util import binary, any
>>>  from common import paritygen, staticfile, get_contact, ErrorResponse
>>>  from common import HTTP_OK, HTTP_FORBIDDEN, HTTP_NOT_FOUND
>>>  from mercurial import graphmod, patch
>>>  @@ -175,6 +175,10 @@
>>>              # no revset syntax used
>>>              return 'kw'
>>>
>>>  +        if any((token, (value or '')[:3]) == ('string', 're:')
>>  Now 'any' is used legitimately here, as it's imported at the top.
>>  However, don't know what to do with the check code test failing here
>>  due to use of 'any'.
>
> I suspect the correct approach would be to change the import line to: `from mercurial import util`, and then call `util.any(...)`.

And change 'binary' calls to 'util.binary' (in a separate patch)?

>
> pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
> Kevin R. Bullock

More information about the Mercurial-devel mailing list