[PATCH 4 of 4] hgweb: do not audit URL path as working-directory path

Augie Fackler raf at durin42.com
Fri Sep 7 11:53:11 EDT 2018


queued, thanks

> On Sep 7, 2018, at 9:39 AM, Yuya Nishihara <yuya at tcha.org> wrote:
> 
> # HG changeset patch
> # User Yuya Nishihara <yuya at tcha.org>
> # Date 1535289489 -32400
> #      Sun Aug 26 22:18:09 2018 +0900
> # Node ID 70d6fff1bccfe8760f06bc92ca0b23a61c3ddca9
> # Parent  61b6dff6e23fde7831422b5787430a32003a4d33
> hgweb: do not audit URL path as working-directory path
> 
> Since hgweb is an interface to repository data, we don't need to prohibit
> any paths conflicting within the filesystem. Still an access to working
> files is audited by filectx.
> 
> diff --git a/mercurial/hgweb/webutil.py b/mercurial/hgweb/webutil.py
> --- a/mercurial/hgweb/webutil.py
> +++ b/mercurial/hgweb/webutil.py
> @@ -320,7 +320,8 @@ def branchentries(repo, stripecount, lim
> 
> def cleanpath(repo, path):
>     path = path.lstrip('/')
> -    return pathutil.canonpath(repo.root, '', path)
> +    auditor = pathutil.pathauditor(repo.root, realfs=False)
> +    return pathutil.canonpath(repo.root, '', path, auditor=auditor)
> 
> def changectx(repo, req):
>     changeid = "tip"
> diff --git a/tests/test-hgwebdir.t b/tests/test-hgwebdir.t
> --- a/tests/test-hgwebdir.t
> +++ b/tests/test-hgwebdir.t
> @@ -1231,14 +1231,15 @@ Test subrepositories inside intermediate
> 
>   f2
> 
> -Test accessing file that is shadowed by another repository
> +Test accessing file that could be shadowed by another repository if the URL
> +path were audited as a working-directory path:
> 
>   $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw'
> -  403 Forbidden
> -  
> +  200 Script output follows
> 
> -  error: path 'f3/file' is inside nested repo 'f3'
> -  [1]
> +  f3/file
> +
> +Test accessing working-directory file that is shadowed by another repository
> 
>   $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw'
>   403 Forbidden
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel



More information about the Mercurial-devel mailing list