| Submitter | Gregory Szorc |
|---|---|
| Date | Aug. 16, 2016, 3:39 a.m. |
| Message ID | <4d33314178c961d924de.1471318775@ubuntu-vm-main> |
| Download | mbox | patch |
| Permalink | /patch/16305/ |
| State | Accepted |
| Headers | show |
Comments
On Mon, 15 Aug 2016 20:39:35 -0700, Gregory Szorc wrote: > # HG changeset patch > # User Gregory Szorc <gregory.szorc@gmail.com> > # Date 1471318773 25200 > # Mon Aug 15 20:39:33 2016 -0700 > # Node ID 4d33314178c961d924de561d725c5febd4cacee0 > # Parent 997e8cf4d0a29d28759e38659736cb3d1cf9ef3f > hgweb: document why we don't allow untrusted settings to control zlib Queued, thanks.
Patch
diff --git a/mercurial/hgweb/protocol.py b/mercurial/hgweb/protocol.py --- a/mercurial/hgweb/protocol.py +++ b/mercurial/hgweb/protocol.py @@ -69,16 +69,19 @@ class webproto(wireproto.abstractserverp def redirect(self): self.oldio = self.ui.fout, self.ui.ferr self.ui.ferr = self.ui.fout = stringio() def restore(self): val = self.ui.fout.getvalue() self.ui.ferr, self.ui.fout = self.oldio return val def groupchunks(self, cg): + # Don't allow untrusted settings because disabling compression or + # setting a very high compression level could lead to flooding + # the server's network or CPU. z = zlib.compressobj(self.ui.configint('server', 'zliblevel', -1)) while True: chunk = cg.read(4096) if not chunk: break yield z.compress(chunk) yield z.flush() def _client(self):