[PATCH V3] hgweb: restrict usage of regular expressions in search

Kevin Bullock kbullock+mercurial at ringworld.org
Mon Sep 2 22:58:53 CDT 2013


On 1 Sep 2013, at 1:26 AM, Alexander Plavin wrote:

> 01.09.2013, 07:56, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
>> On 16 Aug 2013, at 4:02 PM, Alexander Plavin wrote:
>> 
>>>  2013/8/17 Alexander Plavin <alexander at plav.in>:
>>>>  # HG changeset patch
>>>>  # User Alexander Plavin <alexander at plav.in>
>>>>  # Date 1376650882 -14400
>>>>  #      Fri Aug 16 15:01:22 2013 +0400
>>>>  # Node ID 0cf9f8749e3d031259a6c3ff131b4945d1dc3eeb
>>>>  # Parent  d7684354b9a2755149fc8b9740d2770634d3185e
>>>>  hgweb: restrict usage of regular expressions in search
>>>> 
>>>>  If the search query has strings defining revset regular expressions
>>>>  (those starting with 're:'), revset syntax is disabled. It eliminates the
>>>>  possibility of ReDoS.
>>>> 
>>>>  diff -r d7684354b9a2 -r 0cf9f8749e3d mercurial/hgweb/webcommands.py
>>>>  --- a/mercurial/hgweb/webcommands.py    Wed Aug 07 01:16:14 2013 +0400
>>>>  +++ b/mercurial/hgweb/webcommands.py    Fri Aug 16 15:01:22 2013 +0400
>>>>  @@ -9,7 +9,7 @@
>>>>  import webutil
>>>>  from mercurial import error, encoding, archival, templater, templatefilters
>>>>  from mercurial.node import short, hex, nullid
>>>>  -from mercurial.util import binary
>>>>  +from mercurial.util import binary, any
>>>>  from common import paritygen, staticfile, get_contact, ErrorResponse
>>>>  from common import HTTP_OK, HTTP_FORBIDDEN, HTTP_NOT_FOUND
>>>>  from mercurial import graphmod, patch
>>>>  @@ -175,6 +175,10 @@
>>>>              # no revset syntax used
>>>>              return 'kw'
>>>> 
>>>>  +        if any((token, (value or '')[:3]) == ('string', 're:')
>>>  Now 'any' is used legitimately here, as it's imported at the top.
>>>  However, don't know what to do with the check code test failing here
>>>  due to use of 'any'.
>> 
>> I suspect the correct approach would be to change the import line to: `from mercurial import util`, and then call `util.any(...)`.
> 
> And change 'binary' calls to 'util.binary' (in a separate patch)?

Preferably, yes.

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock



More information about the Mercurial-devel mailing list