[PATCH] templater: add 'env()' to fetch environment variables

Yuya Nishihara yuya at tcha.org
Tue Jan 17 09:06:59 EST 2017


On Mon, 16 Jan 2017 22:28:17 -0500, Matt Harbison wrote:
> On Mon, 16 Jan 2017 07:25:24 -0500, Yuya Nishihara <yuya at tcha.org> wrote:
> > On Sun, 15 Jan 2017 15:30:56 -0500, Matt Harbison wrote:
> >> # HG changeset patch
> >> # User Matt Harbison <matt_harbison at yahoo.com>
> >> # Date 1484508143 18000
> >> #      Sun Jan 15 14:22:23 2017 -0500
> >> # Node ID 2ba757de67ce1347d088a4d9f947efe5d407ffdd
> >> # Parent  4c0a5a256ae806fab18d56b3c44a8d1c98a40ce0
> >> templater: add 'env()' to fetch environment variables

> @templatekeyword('environ')
> def showenviron(**args):
>      """A dictionary of environment variables."""
> 
>      env = encoding.environ
>      env = util.sortdict((k, env[k]) for k in sorted(env))
>      makemap = lambda k: {'key': k, 'value': env[k]}
>      c = [makemap(k) for k in env]
>      f = _showlist('environ', c, **args)
>      return _hybrid(f, env, makemap,
>                     lambda x: '%s=%s' % (x['key'], x['value']))

As I pointed out in another thread, there's a security concern. We have to
be careful to not expose the environ data to malicious users via e.g. hgweb.

I agreed with marmoute on IRC we should shape the APIs so we would never
give access to the environ dict by mistake.

Here's some ideas:

 a) list accessible environment variables explicitly by config
    e.g. --config ui.accessibleenvironintemplate=BUILD_ID,BUILD_TYPE

 b) define template variables by config (somewhat similar to [extdata])
    e.g. [exttemplatevariables]
         # $var will be expanded
         build_id = $BUILD_ID
         build_type = $BUILD_TYPE

 c) add API to access environment variables that can be exported
    e.g. ui.exportableenviron = environ.environ  # by default
                              = {}               # by hgweb

Thoughts?


More information about the Mercurial-devel mailing list