[PATCH] templater: add 'env()' to fetch environment variables
Matt Harbison
mharbison72 at gmail.com
Tue Jan 17 23:46:43 EST 2017
On Tue, 17 Jan 2017 09:06:59 -0500, Yuya Nishihara <yuya at tcha.org> wrote:
> On Mon, 16 Jan 2017 22:28:17 -0500, Matt Harbison wrote:
>> On Mon, 16 Jan 2017 07:25:24 -0500, Yuya Nishihara <yuya at tcha.org>
>> wrote:
>> > On Sun, 15 Jan 2017 15:30:56 -0500, Matt Harbison wrote:
>> >> # HG changeset patch
>> >> # User Matt Harbison <matt_harbison at yahoo.com>
>> >> # Date 1484508143 18000
>> >> # Sun Jan 15 14:22:23 2017 -0500
>> >> # Node ID 2ba757de67ce1347d088a4d9f947efe5d407ffdd
>> >> # Parent 4c0a5a256ae806fab18d56b3c44a8d1c98a40ce0
>> >> templater: add 'env()' to fetch environment variables
>
>> @templatekeyword('environ')
>> def showenviron(**args):
>> """A dictionary of environment variables."""
>>
>> env = encoding.environ
>> env = util.sortdict((k, env[k]) for k in sorted(env))
>> makemap = lambda k: {'key': k, 'value': env[k]}
>> c = [makemap(k) for k in env]
>> f = _showlist('environ', c, **args)
>> return _hybrid(f, env, makemap,
>> lambda x: '%s=%s' % (x['key'], x['value']))
>
> As I pointed out in another thread, there's a security concern. We have
> to
> be careful to not expose the environ data to malicious users via e.g.
> hgweb.
>
> I agreed with marmoute on IRC we should shape the APIs so we would never
> give access to the environ dict by mistake.
>
> Here's some ideas:
>
> a) list accessible environment variables explicitly by config
> e.g. --config ui.accessibleenvironintemplate=BUILD_ID,BUILD_TYPE
>
> b) define template variables by config (somewhat similar to [extdata])
I'm not familiar with that, and a grep for 'extdata' (excluding 'tests/'),
didn't find anything.
> e.g. [exttemplatevariables]
> # $var will be expanded
> build_id = $BUILD_ID
> build_type = $BUILD_TYPE
>
> c) add API to access environment variables that can be exported
> e.g. ui.exportableenviron = environ.environ # by default
> = {} # by hgweb
>
> Thoughts?
I think I prefer the 3rd for user simplicity. I couldn't figure out how
to do that, so I did a hybrid of 1 and 3 for now. I don't know enough
about hgweb to know if it ever makes sense/is useful to export any
environment variables. I'll send the patch shortly.
More information about the Mercurial-devel
mailing list