Patchwork [2,of,5,V4] hgweb: restrict usage of regular expressions in search

login
register
mail settings
Submitter Alexander Plavin
Date Sept. 4, 2013, 7:13 p.m.
Message ID <a7a859be2d42f36c3932.1378321985@debian-alexander.dolgopa>
Download mbox | patch
Permalink /patch/2329/
State Changes Requested
Delegated to: Kevin Bullock
Headers show

Comments

Alexander Plavin - Sept. 4, 2013, 7:13 p.m.
# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1376650882 -14400
#      Fri Aug 16 15:01:22 2013 +0400
# Node ID a7a859be2d42f36c3932b403db662e4b403e93a6
# Parent  20d30e47780261b1c11f20cfd619820a616c1d86
hgweb: restrict usage of regular expressions in search

If the search query has strings defining revset regular expressions
(those starting with 're:'), revset syntax is disabled. It eliminates the
possibility of ReDoS.

Patch

diff -r 20d30e477802 -r a7a859be2d42 mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Tue Sep 03 20:02:53 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Fri Aug 16 15:01:22 2013 +0400
@@ -179,6 +179,10 @@ 
             # no revset syntax used
             return MODE_KEYWORD, query
 
+        if util.any((token, (value or '')[:3]) == ('string', 're:')
+                    for token, value, pos in revset.tokenize(revdef)):
+            return MODE_KEYWORD, query
+
         mfunc = revset.match(None, revdef)
         try:
             # try running against empty subset
diff -r 20d30e477802 -r a7a859be2d42 tests/test-hgweb-commands.t
--- a/tests/test-hgweb-commands.t	Tue Sep 03 20:02:53 2013 +0400
+++ b/tests/test-hgweb-commands.t	Fri Aug 16 15:01:22 2013 +0400
@@ -632,6 +632,56 @@ 
   
   
 
+  $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'log?rev=user("test")&style=raw'
+  200 Script output follows
+  
+  
+  # HG changesets search
+  # Node ID cad8025a2e87f88c06259790adfa15acb4080123
+  # Query "user("test")"
+  
+  changeset:   cad8025a2e87f88c06259790adfa15acb4080123
+  revision:    3
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     branch commit with null character: \x00 (esc)
+  branch:      unstable
+  tag:         tip
+  bookmark:    something
+  
+  changeset:   1d22e65f027e5a0609357e7d8e7508cd2ba5d2fe
+  revision:    2
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     branch
+  branch:      stable
+  
+  changeset:   a4f92ed23982be056b9852de5dfe873eaac7f0de
+  revision:    1
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     Added tag 1.0 for changeset 2ef0ac749a14
+  branch:      default
+  
+  changeset:   2ef0ac749a14e4f57a5a822464a0902c6f7f448f
+  revision:    0
+  user:        test
+  date:        Thu, 01 Jan 1970 00:00:00 +0000
+  summary:     base
+  tag:         1.0
+  bookmark:    anotherthing
+  
+  
+  $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'log?rev=user("re:test")&style=raw'
+  200 Script output follows
+  
+  
+  # HG changesets search
+  # Node ID cad8025a2e87f88c06259790adfa15acb4080123
+  # Query "user("re:test")"
+  
+  
+
 File-related
 
   $ "$TESTDIR/get-with-headers.py" 127.0.0.1:$HGPORT 'file/1/foo/?style=raw'