From patchwork Fri Aug 16 20:03:29 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [5, of, 6,
 V2] hgweb: blacklist heavyweight revset functions in hgweb search
From: Alexander Plavin <alexander@plav.in>
X-Patchwork-Id: 2186
Message-Id: <b913f96bf64f241a3253.1376683409@debian-alexander.dolgopa>
To: mercurial-devel@selenic.com
Date: Sat, 17 Aug 2013 00:03:29 +0400

# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1374269558 -14400
#      Sat Jul 20 01:32:38 2013 +0400
# Node ID b913f96bf64f241a3253f64a71d637f440ab5ded
# Parent  916a7171b59f371732758ab473c4bf5467631a13
hgweb: blacklist heavyweight revset functions in hgweb search

Disallow usage of functions 'contains' and 'grep'.

diff -r 916a7171b59f -r b913f96bf64f mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Wed Aug 07 01:21:31 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Sat Jul 20 01:32:38 2013 +0400
@@ -178,6 +178,10 @@
         if any((token, (value or '')[:3]) == ('string', 're:')
                for token, value, pos in revset.tokenize(revdef)):
             return 'kw'
+        funcsused = revset.funcsused(tree)
+        blacklist = set(['contains', 'grep'])
+        if funcsused & blacklist:
+            return 'kw'
 
         mfunc = revset.match(None, revdef)
         try: