[PATCH 2 of 5 V4] hgweb: restrict usage of regular expressions in search
Alexander Plavin
alexander at plav.in
Wed Sep 4 14:13:05 CDT 2013
# HG changeset patch
# User Alexander Plavin <alexander at plav.in>
# Date 1376650882 -14400
# Fri Aug 16 15:01:22 2013 +0400
# Node ID a7a859be2d42f36c3932b403db662e4b403e93a6
# Parent 20d30e47780261b1c11f20cfd619820a616c1d86
hgweb: restrict usage of regular expressions in search
If the search query has strings defining revset regular expressions
(those starting with 're:'), revset syntax is disabled. It eliminates the
possibility of ReDoS.
diff -r 20d30e477802 -r a7a859be2d42 mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py Tue Sep 03 20:02:53 2013 +0400
+++ b/mercurial/hgweb/webcommands.py Fri Aug 16 15:01:22 2013 +0400
@@ -179,6 +179,10 @@
# no revset syntax used
return MODE_KEYWORD, query
+ if util.any((token, (value or '')[:3]) == ('string', 're:')
+ for token, value, pos in revset.tokenize(revdef)):
+ return MODE_KEYWORD, query
+
mfunc = revset.match(None, revdef)
try:
# try running against empty subset
diff -r 20d30e477802 -r a7a859be2d42 tests/test-hgweb-commands.t
--- a/tests/test-hgweb-commands.t Tue Sep 03 20:02:53 2013 +0400
+++ b/tests/test-hgweb-commands.t Fri Aug 16 15:01:22 2013 +0400
@@ -632,6 +632,56 @@
+ $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'log?rev=user("test")&style=raw'
+ 200 Script output follows
+
+
+ # HG changesets search
+ # Node ID cad8025a2e87f88c06259790adfa15acb4080123
+ # Query "user("test")"
+
+ changeset: cad8025a2e87f88c06259790adfa15acb4080123
+ revision: 3
+ user: test
+ date: Thu, 01 Jan 1970 00:00:00 +0000
+ summary: branch commit with null character: \x00 (esc)
+ branch: unstable
+ tag: tip
+ bookmark: something
+
+ changeset: 1d22e65f027e5a0609357e7d8e7508cd2ba5d2fe
+ revision: 2
+ user: test
+ date: Thu, 01 Jan 1970 00:00:00 +0000
+ summary: branch
+ branch: stable
+
+ changeset: a4f92ed23982be056b9852de5dfe873eaac7f0de
+ revision: 1
+ user: test
+ date: Thu, 01 Jan 1970 00:00:00 +0000
+ summary: Added tag 1.0 for changeset 2ef0ac749a14
+ branch: default
+
+ changeset: 2ef0ac749a14e4f57a5a822464a0902c6f7f448f
+ revision: 0
+ user: test
+ date: Thu, 01 Jan 1970 00:00:00 +0000
+ summary: base
+ tag: 1.0
+ bookmark: anotherthing
+
+
+ $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'log?rev=user("re:test")&style=raw'
+ 200 Script output follows
+
+
+ # HG changesets search
+ # Node ID cad8025a2e87f88c06259790adfa15acb4080123
+ # Query "user("re:test")"
+
+
+
File-related
$ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'file/1/foo/?style=raw'
More information about the Mercurial-devel
mailing list