[PATCH 2 of 2] lfs: ensure the transfer request is for a known URI
Matt Harbison
mharbison72 at gmail.com
Sun Apr 1 00:00:55 EDT 2018
# HG changeset patch
# User Matt Harbison <matt_harbison at yahoo.com>
# Date 1522555088 14400
# Sat Mar 31 23:58:08 2018 -0400
# Node ID 61133b211f50194afc52f576d93c58d3f5f6c529
# Parent bdef5a344ebfd54cf454b184e14d0c37400f7547
lfs: ensure the transfer request is for a known URI
Since the dispatching code only checks the beginning of the string, this
enforces that there's only one more path component.
diff --git a/hgext/lfs/wireprotolfsserver.py b/hgext/lfs/wireprotolfsserver.py
--- a/hgext/lfs/wireprotolfsserver.py
+++ b/hgext/lfs/wireprotolfsserver.py
@@ -22,6 +22,7 @@ from mercurial import (
HTTP_OK = hgwebcommon.HTTP_OK
HTTP_CREATED = hgwebcommon.HTTP_CREATED
HTTP_BAD_REQUEST = hgwebcommon.HTTP_BAD_REQUEST
+HTTP_NOT_FOUND = hgwebcommon.HTTP_NOT_FOUND
def handlewsgirequest(orig, rctx, req, res, checkperm):
"""Wrap wireprotoserver.handlewsgirequest() to possibly process an LFS
@@ -241,6 +242,10 @@ def _processbasictransfer(repo, req, res
oid = req.dispatchparts[-1]
localstore = repo.svfs.lfslocalblobstore
+ if len(req.dispatchparts) != 4:
+ _sethttperror(res, HTTP_NOT_FOUND)
+ return True
+
if method == b'PUT':
checkperm('upload')
More information about the Mercurial-devel
mailing list