From patchwork Sat Apr 13 19:45:19 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [2, of, 2, V3] hgweb: respond HTTP_NOT_FOUND when an archive request does not match any files From: Angel Ezquerra X-Patchwork-Id: 1295 Message-Id: <006cff2401160874ce40.1365882319@Angel-PC.localdomain> To: mercurial-devel@selenic.com Date: Sat, 13 Apr 2013 21:45:19 +0200 # HG changeset patch # User Angel Ezquerra # Date 1363904857 -3600 # Thu Mar 21 23:27:37 2013 +0100 # Node ID 006cff2401160874ce4086da6c45fa0d85650204 # Parent 47797f2b57b3e4e4512b3c637d3082a6f7c6dee4 hgweb: respond HTTP_NOT_FOUND when an archive request does not match any files diff --git a/mercurial/hgweb/webcommands.py b/mercurial/hgweb/webcommands.py --- a/mercurial/hgweb/webcommands.py +++ b/mercurial/hgweb/webcommands.py @@ -819,15 +819,16 @@ ctx = webutil.changectx(web.repo, req) pats = [] + matchfn = None file = req.form.get('file', None) if file: - file = file[0] - patandfile = file.split(':') - if len(patandfile) > 1 and patandfile[0].lower() in ('glob', 'relglob', - 'path', 'relpath', 're', 'relre', 'set'): - msg = 'Archive pattern not allowed: %s' % file - raise ErrorResponse(HTTP_FORBIDDEN, msg) - pats = ['path:' + file] + pats = ['path:' + file[0]] + matchfn = scmutil.match(ctx, pats, default='path') + if pats: + files = [f for f in ctx.manifest().keys() if matchfn(f)] + if not files: + raise ErrorResponse(HTTP_NOT_FOUND, + 'file(s) not found: %s' % file[0]) mimetype, artype, extension, encoding = web.archive_specs[type_] headers = [ @@ -838,7 +839,6 @@ req.headers.extend(headers) req.respond(HTTP_OK, mimetype) - matchfn = scmutil.match(ctx, pats, default='path') archival.archive(web.repo, req, cnode, artype, prefix=name, matchfn=matchfn, subrepos=web.configbool("web", "archivesubrepos")) diff --git a/tests/test-archive.t b/tests/test-archive.t --- a/tests/test-archive.t +++ b/tests/test-archive.t @@ -108,10 +108,15 @@ $ python getarchive.py "$TIP" gz foo | gunzip | tar tf - 2>/dev/null test-archive-2c0277f05ed4/foo +test that we detect file patterns that match no files + + $ python getarchive.py "$TIP" gz foobar + HTTP Error 404: file(s) not found: foobar + test that we reject unsafe patterns $ python getarchive.py "$TIP" gz relre:baz - HTTP Error 403: Archive pattern not allowed: relre:baz + HTTP Error 404: file(s) not found: relre:baz $ "$TESTDIR/killdaemons.py" $DAEMON_PIDS