From patchwork Wed Mar 20 22:15:41 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: hgweb: require files and directory links to begin with 'path:' From: Angel Ezquerra X-Patchwork-Id: 1144 Message-Id: <84f24bbe0c3e97e4e175.1363817741@Angel-PC.localdomain> To: mercurial-devel@selenic.com Date: Wed, 20 Mar 2013 23:15:41 +0100 # HG changeset patch # User Angel Ezquerra # Date 1363809088 -3600 # Wed Mar 20 20:51:28 2013 +0100 # Node ID 84f24bbe0c3e97e4e1753c894e3c963d1e6c6d63 # Parent 136516cd3d6902aaa2edc9befc65763c56a6dbfc hgweb: require files and directory links to begin with 'path:' If they don't the server will reply with a 403 HTTP forbidden error. This gets rid of the need to explicitly check for the known pattern types. Note that the templater has access to a "path" variable which is a path to the current file or directory relative to the root of the repository, and which begins with a "/". However archival.archive() expects 'path:' to not begin with a '/'. To cope with this webcommands.archive must remove the extra '/' which is passed by the templater. diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py --- a/mercurial/hgweb/webcommands.py +++ b/mercurial/hgweb/webcommands.py @@ -822,12 +822,11 @@ file = req.form.get('file', None) if file: file = file[0] - patandfile = file.split(':') - if len(patandfile) > 1 and patandfile[0].lower() in ('glob', 'relglob', - 'path', 'relpath', 're', 'relre', 'set'): - msg = 'Archive pattern not allowed: %s' % file + if not file.lower().startswith('path:/'): + msg = "Archive path must begin with 'path:'" raise ErrorResponse(HTTP_FORBIDDEN, msg) - pats = ['path:' + file] + # The file path has an extra "/" that must be removed + pats = ['path:' + file[6:]] mimetype, artype, extension, encoding = web.archive_specs[type_] headers = [ diff --git a/mercurial/templates/coal/map b/mercurial/templates/coal/map --- a/mercurial/templates/coal/map +++ b/mercurial/templates/coal/map @@ -224,7 +224,7 @@ index = ../paper/index.tmpl archiveentry = '
  • - {type|escape} + {type|escape}
    • ' notfound = ../paper/notfound.tmpl error = ../paper/error.tmpl diff --git a/mercurial/templates/gitweb/map b/mercurial/templates/gitweb/map --- a/mercurial/templates/gitweb/map +++ b/mercurial/templates/gitweb/map @@ -289,7 +289,7 @@ file | diff | annotate {rename%filelogrename} ' -archiveentry = ' | {type|escape} ' +archiveentry = ' | {type|escape} ' indexentry = ' diff --git a/mercurial/templates/monoblue/map b/mercurial/templates/monoblue/map --- a/mercurial/templates/monoblue/map +++ b/mercurial/templates/monoblue/map @@ -245,7 +245,7 @@ {rename%filelogrename} ' -archiveentry = '
  • {type|escape}
    • ' +archiveentry = '
  • {type|escape}
    • ' indexentry = ' {name|escape} diff --git a/mercurial/templates/paper/map b/mercurial/templates/paper/map --- a/mercurial/templates/paper/map +++ b/mercurial/templates/paper/map @@ -232,7 +232,7 @@ index = index.tmpl archiveentry = '
  • - {type|escape} + {type|escape}
    • ' notfound = notfound.tmpl error = error.tmpl