[PATCH 4 of 5] context: use a the nofsauditor when matching file in history (issue4749)
Pierre-Yves David
pierre-yves.david at ens-lyon.org
Sat Dec 5 23:33:43 CST 2015
On 12/05/2015 02:35 PM, Matt Mackall wrote:
> On Thu, 2015-12-03 at 14:01 -0800, Pierre-Yves David wrote:
>> # HG changeset patch
>> # User Pierre-Yves David <pierre-yves.david at fb.com>
>> # Date 1449177826 28800
>> # Thu Dec 03 13:23:46 2015 -0800
>> # Node ID 65797f84a2cc0317f1326215701befd382d04299
>> # Parent 64a5cdedfc87c8c3d47d8147612e62186a5228c4
>> # EXP-Topic symlink.issue4749
>> # Available At http://hg.netv6.net/marmoute-wip/mercurial/
>> # hg pull http://hg.netv6.net/marmoute-wip/mercurial/ -r
>> 65797f84a2cc
>> context: use a the nofsauditor when matching file in history
>> (issue4749)
>
> I would be MUCH happier if the commit message addressed the following
> obvious security question:
>
> How are we still confident that we never accidentally use the
> nofsauditor with on-disk paths?
woops I did double check, but that data got lost somewhere in my patch
gardening.
The working copy context class have a different 'match' implementation.
That implementation still use the repo.auditor will still catch symlink
traversal.
I've audited all stuff calling "match" and they all go through a ctx in
a sensible way. The most unclear case was diff which still seemed okay.
You raised my paranoid level today and I double checked through tests.
They behave properly.
The odd of someone using the wrong (matching with a changectx for
operation that will eventually touch the file system) is non-zero
because you are never sure of what people will do. But I dunno if we can
fight against that. So I would not commit to "never" for "at this level"
and "in the future" if someone write especially bad code.
However, as a last defense, the vfs itself is running path auditor in
all cases outside of .hg/. So I think anything passing the 'matcher' for
buggy reason would growl at the vfs layer.
Feel free to update the commit message with this above statement.
Have also the tests for `hg diff` to send to the list. I can email a V2
with the test and an updated message if you want me to.
--
Pierre-Yves David
More information about the Mercurial-devel
mailing list