[PATCH] hgweb: document why we don't allow untrusted settings to control zlib
Gregory Szorc
gregory.szorc at gmail.com
Tue Aug 16 03:39:35 UTC 2016
# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1471318773 25200
# Mon Aug 15 20:39:33 2016 -0700
# Node ID 4d33314178c961d924de561d725c5febd4cacee0
# Parent 997e8cf4d0a29d28759e38659736cb3d1cf9ef3f
hgweb: document why we don't allow untrusted settings to control zlib
Added comment per discussion on mercurial-devel.
diff --git a/mercurial/hgweb/protocol.py b/mercurial/hgweb/protocol.py
--- a/mercurial/hgweb/protocol.py
+++ b/mercurial/hgweb/protocol.py
@@ -69,16 +69,19 @@ class webproto(wireproto.abstractserverp
def redirect(self):
self.oldio = self.ui.fout, self.ui.ferr
self.ui.ferr = self.ui.fout = stringio()
def restore(self):
val = self.ui.fout.getvalue()
self.ui.ferr, self.ui.fout = self.oldio
return val
def groupchunks(self, cg):
+ # Don't allow untrusted settings because disabling compression or
+ # setting a very high compression level could lead to flooding
+ # the server's network or CPU.
z = zlib.compressobj(self.ui.configint('server', 'zliblevel', -1))
while True:
chunk = cg.read(4096)
if not chunk:
break
yield z.compress(chunk)
yield z.flush()
def _client(self):
More information about the Mercurial-devel
mailing list