[PATCH 4 of 4] hgweb: do not audit URL path as working-directory path
Augie Fackler
raf at durin42.com
Fri Sep 7 11:53:11 EDT 2018
queued, thanks
> On Sep 7, 2018, at 9:39 AM, Yuya Nishihara <yuya at tcha.org> wrote:
>
> # HG changeset patch
> # User Yuya Nishihara <yuya at tcha.org>
> # Date 1535289489 -32400
> # Sun Aug 26 22:18:09 2018 +0900
> # Node ID 70d6fff1bccfe8760f06bc92ca0b23a61c3ddca9
> # Parent 61b6dff6e23fde7831422b5787430a32003a4d33
> hgweb: do not audit URL path as working-directory path
>
> Since hgweb is an interface to repository data, we don't need to prohibit
> any paths conflicting within the filesystem. Still an access to working
> files is audited by filectx.
>
> diff --git a/mercurial/hgweb/webutil.py b/mercurial/hgweb/webutil.py
> --- a/mercurial/hgweb/webutil.py
> +++ b/mercurial/hgweb/webutil.py
> @@ -320,7 +320,8 @@ def branchentries(repo, stripecount, lim
>
> def cleanpath(repo, path):
> path = path.lstrip('/')
> - return pathutil.canonpath(repo.root, '', path)
> + auditor = pathutil.pathauditor(repo.root, realfs=False)
> + return pathutil.canonpath(repo.root, '', path, auditor=auditor)
>
> def changectx(repo, req):
> changeid = "tip"
> diff --git a/tests/test-hgwebdir.t b/tests/test-hgwebdir.t
> --- a/tests/test-hgwebdir.t
> +++ b/tests/test-hgwebdir.t
> @@ -1231,14 +1231,15 @@ Test subrepositories inside intermediate
>
> f2
>
> -Test accessing file that is shadowed by another repository
> +Test accessing file that could be shadowed by another repository if the URL
> +path were audited as a working-directory path:
>
> $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw'
> - 403 Forbidden
> -
> + 200 Script output follows
>
> - error: path 'f3/file' is inside nested repo 'f3'
> - [1]
> + f3/file
> +
> +Test accessing working-directory file that is shadowed by another repository
>
> $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw'
> 403 Forbidden
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
More information about the Mercurial-devel
mailing list