Comments
Patch
@@ -816,6 +816,17 @@
if cnode == key or key == 'tip':
arch_version = short(cnode)
name = "%s-%s" % (reponame, arch_version)
+
+ ctx = webutil.changectx(web.repo, req)
+ pats = []
+ file = req.form.get('file', None)
+ defaultpat = 'path'
+ if file:
+ pats = [req.form['file'][0]]
+ if ':' in pats[0]:
+ msg = 'Archive pattern not allowed: %s' % pats[0]
+ raise ErrorResponse(HTTP_FORBIDDEN, msg)
+
mimetype, artype, extension, encoding = web.archive_specs[type_]
headers = [
('Content-Disposition', 'attachment; filename=%s%s' % (name, extension))
@@ -825,9 +836,9 @@
req.headers.extend(headers)
req.respond(HTTP_OK, mimetype)
- ctx = webutil.changectx(web.repo, req)
+ matchfn = scmutil.match(ctx, pats, default=defaultpat)
archival.archive(web.repo, req, cnode, artype, prefix=name,
- matchfn=scmutil.match(ctx, []),
+ matchfn=matchfn,
subrepos=web.configbool("web", "archivesubrepos"))
return []
@@ -100,6 +100,13 @@
testing: test-archive-2c0277f05ed4/baz/bletch OK
testing: test-archive-2c0277f05ed4/foo OK
No errors detected in compressed data of archive.zip.
+ $ python getarchive.py "$TIP" gz baz | gunzip | tar tf - 2>/dev/null
+ test-archive-2c0277f05ed4/baz/bletch
+
+test that we reject unsafe patterns
+
+ $ python getarchive.py "$TIP" gz relre:baz
+ HTTP Error 403: Archive pattern not allowed: relre:baz
$ "$TESTDIR/killdaemons.py" $DAEMON_PIDS