[PATCH 5 of 6 V3] hgweb: blacklist heavyweight revset functions in hgweb search
Matt Mackall
mpm at selenic.com
Thu Sep 12 18:03:44 CDT 2013
On Thu, 2013-09-12 at 19:58 +0400, Alexander Plavin wrote:
>
> 12.09.2013, 07:39, "Matt Mackall" <mpm at selenic.com>:
> > On Mon, 2013-09-02 at 22:57 -0500, Kevin Bullock wrote:
> >
> >> On 1 Sep 2013, at 1:25 AM, Alexander Plavin wrote:
> >>> 01.09.2013, 08:54, "Kevin Bullock" <kbullock+mercurial at ringworld.org>:
> >>>> On 22 Aug 2013, at 10:11 AM, Alexander Plavin wrote:
> >>>>> # HG changeset patch
> >>>>> # User Alexander Plavin <alexander at plav.in>
> >>>>> # Date 1374269558 -14400
> >>>>> # Sat Jul 20 01:32:38 2013 +0400
> >>>>> # Node ID 3767921c4b274499fe4254bdafef56bba346b088
> >>>>> # Parent 5734dd4b2bd2a859a2ef0be6e0f4485f028abf6e
> >>>>> hgweb: blacklist heavyweight revset functions in hgweb search
> >>>>>
> >>>>> Disallow usage of functions 'contains' and 'grep'.
> >>>> It will be verbose, but I'd rather have a whitelist of known-safe(-ish) revsets. That way when we add the next (possibly unexpectedly!) compute-intensive revset, we won't be opening our users up to new DoS attacks because we forgot to blacklist it.
> >>> Agree, makes sense. And what about moving this part of code to revset.py?
> >> No strong opinion either way.
> >
> > Seems a good idea to me.
>
> In the more recent version of these patches (namely, those with V5 flag) I'd done this. It would be nice if you looked at them too :)
Argh. V5, he says! V5 of WHICH of the eight or so hard-to-distinguish
series currently clogging my inbox??
It's extremely difficult for me to determine what's new and what's
obsolete in my inbox anymore, because I have pages and pages of
patchsets with the same author and similar summaries and no good way to
spot duplicates. It's a maze of twisty little messages, all slightly
different and I don't want to spend all my time sorting through this
mess. And not sorting through this mess means my patch acceptance rate
(and your progress) has suffered for weeks. That your mentor has failed
to throttle[1] you earlier is unfortunate.
I _really_ should just dump absolutely everything from you currently in
my inbox so I can get back on top of things, but that means I would miss
existing review comments to figure out whether your future patches are
acceptable and what's already been addressed.
Recommended reading:
http://mercurial.selenic.com/wiki/ContributingChanges#Flow_control
http://www.selenic.com/inbox
[1] pun intended?
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list