D1136: templatefilters: defend against evil unicode strs in json filter
durin42 (Augie Fackler)
phabricator at mercurial-scm.org
Wed Oct 18 08:46:43 EDT 2017
This revision was automatically updated to reflect the committed changes.
Closed by commit rHG4fdc4adbc838: templatefilters: defend against evil unicode strs in json filter (authored by durin42, committed by ).
CHANGED PRIOR TO COMMIT
https://phab.mercurial-scm.org/D1136?vs=2917&id=2966#toc
REPOSITORY
rHG Mercurial
CHANGES SINCE LAST UPDATE
https://phab.mercurial-scm.org/D1136?vs=2917&id=2966
REVISION DETAIL
https://phab.mercurial-scm.org/D1136
AFFECTED FILES
mercurial/templatefilters.py
CHANGE DETAILS
diff --git a/mercurial/templatefilters.py b/mercurial/templatefilters.py
--- a/mercurial/templatefilters.py
+++ b/mercurial/templatefilters.py
@@ -13,6 +13,7 @@
from . import (
encoding,
+ error,
hbisect,
node,
pycompat,
@@ -233,6 +234,13 @@
return pycompat.bytestr(obj)
elif isinstance(obj, bytes):
return '"%s"' % encoding.jsonescape(obj, paranoid=paranoid)
+ elif isinstance(obj, str):
+ # This branch is unreachable on Python 2, because bytes == str
+ # and we'll return in the next-earlier block in the elif
+ # ladder. On Python 3, this helps us catch bugs before they
+ # hurt someone.
+ raise error.ProgrammingError(
+ 'Mercurial only does output with bytes on Python 3: %r' % obj)
elif util.safehasattr(obj, 'keys'):
out = ['"%s": %s' % (encoding.jsonescape(k, paranoid=paranoid),
json(v, paranoid))
To: durin42, #hg-reviewers, yuja
Cc: yuja, ryanmce, mercurial-devel
More information about the Mercurial-devel
mailing list