From patchwork Fri Aug  9 18:54:58 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [4, of, 4,
 V2] hgweb: config option to blacklist some revset functions in hgweb
 search
From: Alexander Plavin <alexander@plav.in>
X-Patchwork-Id: 2105
Message-Id: <e495c742bf85e0aef491.1376074498@debian-alexander.dolgopa>
To: mercurial-devel@selenic.com
Date: Fri, 09 Aug 2013 22:54:58 +0400

# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1374269558 -14400
#      Sat Jul 20 01:32:38 2013 +0400
# Node ID e495c742bf85e0aef4919c94f08effa6effd3695
# Parent  80319cecf93938fb529984f4a2f5c105bcc709b1
hgweb: config option to blacklist some revset functions in hgweb search

This option defaults to ['contains'], as this is a heavy-weight function.

diff -r 80319cecf939 -r e495c742bf85 mercurial/help/config.txt
--- a/mercurial/help/config.txt	Wed Aug 07 01:16:14 2013 +0400
+++ b/mercurial/help/config.txt	Sat Jul 20 01:32:38 2013 +0400
@@ -1461,6 +1461,10 @@
     Whether to require that inbound pushes be transported over SSL to
     prevent password sniffing. Default is True.
 
+``revsetblacklist``
+    List of revset functions which are not allowed in search queries.
+    Default is 'contains'.
+
 ``staticurl``
     Base URL to use for static files. If unset, static files (e.g. the
     hgicon.png favicon) will be served by the CGI script itself. Use
diff -r 80319cecf939 -r e495c742bf85 mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Wed Aug 07 01:16:14 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Sat Jul 20 01:32:38 2013 +0400
@@ -211,7 +211,11 @@
             # can't parse to a tree
             modename = 'kw'
         else:
-            if revset.depth(tree) > 2:
+            funcsused = revset.funcsused(tree)
+            blacklist = web.configlist('web', 'revsetblacklist', ['contains'])
+            blacklist = set(blacklist)
+
+            if revset.depth(tree) > 2 and not funcsused & blacklist:
                 mfunc = revset.match(None, revdef)
                 try:
                     # try running against empty subset
@@ -224,7 +228,7 @@
                     # can't run the revset query, e.g. some function misspelled
                     modename = 'kw'
             else:
-                # no revset syntax used
+                # no revset syntax used or blacklisted functions in the query
                 modename = 'kw'
 
     searchfunc = searchfuncs[modename]