[PATCH 5 of 6 V3] hgweb: blacklist heavyweight revset functions in hgweb search
Alexander Plavin
alexander at plav.in
Thu Sep 12 10:58:02 CDT 2013
12.09.2013, 07:39, "Matt Mackall" <mpm at selenic.com>:
> On Mon, 2013-09-02 at 22:57 -0500, Kevin Bullock wrote:
>
>> On 1 Sep 2013, at 1:25 AM, Alexander Plavin wrote:
>>> 01.09.2013, 08:54, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
>>>> On 22 Aug 2013, at 10:11 AM, Alexander Plavin wrote:
>>>>> # HG changeset patch
>>>>> # User Alexander Plavin <alexander at plav.in>
>>>>> # Date 1374269558 -14400
>>>>> # Sat Jul 20 01:32:38 2013 +0400
>>>>> # Node ID 3767921c4b274499fe4254bdafef56bba346b088
>>>>> # Parent 5734dd4b2bd2a859a2ef0be6e0f4485f028abf6e
>>>>> hgweb: blacklist heavyweight revset functions in hgweb search
>>>>>
>>>>> Disallow usage of functions 'contains' and 'grep'.
>>>> It will be verbose, but I'd rather have a whitelist of known-safe(-ish) revsets. That way when we add the next (possibly unexpectedly!) compute-intensive revset, we won't be opening our users up to new DoS attacks because we forgot to blacklist it.
>>> Agree, makes sense. And what about moving this part of code to revset.py?
>> No strong opinion either way.
>
> Seems a good idea to me.
In the more recent version of these patches (namely, those with V5 flag) I'd done this. It would be nice if you looked at them too :)
>
> --
> Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list