Patchwork [5,of,6,V2] hgweb: blacklist heavyweight revset functions in hgweb search

login
register
mail settings
Submitter Alexander Plavin
Date Aug. 16, 2013, 8:03 p.m.
Message ID <b913f96bf64f241a3253.1376683409@debian-alexander.dolgopa>
Download mbox | patch
Permalink /patch/2186/
State Superseded
Headers show

Comments

Alexander Plavin - Aug. 16, 2013, 8:03 p.m.
# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1374269558 -14400
#      Sat Jul 20 01:32:38 2013 +0400
# Node ID b913f96bf64f241a3253f64a71d637f440ab5ded
# Parent  916a7171b59f371732758ab473c4bf5467631a13
hgweb: blacklist heavyweight revset functions in hgweb search

Disallow usage of functions 'contains' and 'grep'.

Patch

diff -r 916a7171b59f -r b913f96bf64f mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Wed Aug 07 01:21:31 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Sat Jul 20 01:32:38 2013 +0400
@@ -178,6 +178,10 @@ 
         if any((token, (value or '')[:3]) == ('string', 're:')
                for token, value, pos in revset.tokenize(revdef)):
             return 'kw'
+        funcsused = revset.funcsused(tree)
+        blacklist = set(['contains', 'grep'])
+        if funcsused & blacklist:
+            return 'kw'
 
         mfunc = revset.match(None, revdef)
         try: