Patchwork [4,of,5,V4] hgweb: allow only whitelisted revset functions in hgweb search

login
register
mail settings
Submitter Alexander Plavin
Date Sept. 4, 2013, 7:13 p.m.
Message ID <939c1b6f7e443f32b801.1378321987@debian-alexander.dolgopa>
Download mbox | patch
Permalink /patch/2330/
State Changes Requested
Delegated to: Kevin Bullock
Headers show

Comments

Alexander Plavin - Sept. 4, 2013, 7:13 p.m.
# HG changeset patch
# User Alexander Plavin <alexander@plav.in>
# Date 1374269558 -14400
#      Sat Jul 20 01:32:38 2013 +0400
# Node ID 939c1b6f7e443f32b801f5e6b85da790fdc5324e
# Parent  c670daa7b41d00d9be9ebeae910e2ea743f02e5b
hgweb: allow only whitelisted revset functions in hgweb search

Allow to use only functions explicitly whitelisted in revset.py.

Patch

diff -r c670daa7b41d -r 939c1b6f7e44 mercurial/hgweb/webcommands.py
--- a/mercurial/hgweb/webcommands.py	Wed Aug 07 01:21:31 2013 +0400
+++ b/mercurial/hgweb/webcommands.py	Sat Jul 20 01:32:38 2013 +0400
@@ -183,6 +183,10 @@ 
                     for token, value, pos in revset.tokenize(revdef)):
             return MODE_KEYWORD, query
 
+        funcsused = revset.funcsused(tree)
+        if not funcsused.issubset(revset.safesymbols):
+            return MODE_KEYWORD, query
+
         mfunc = revset.match(None, revdef)
         try:
             # try running against empty subset
diff -r c670daa7b41d -r 939c1b6f7e44 mercurial/revset.py
--- a/mercurial/revset.py	Wed Aug 07 01:21:31 2013 +0400
+++ b/mercurial/revset.py	Sat Jul 20 01:32:38 2013 +0400
@@ -1609,6 +1609,74 @@ 
     "_list": _list,
 }
 
+# symbols which don't become too heavyweight for some inputs
+# (like those that accept regexes as plain string)
+safesymbols = set([
+    "adds",
+    "all",
+    "ancestor",
+    "ancestors",
+    "_firstancestors",
+    "author",
+    "bisect",
+    "bisected",
+    "bookmark",
+    "branch",
+    "branchpoint",
+    "bumped",
+    "bundle",
+    "children",
+    "closed",
+    "converted",
+    "date",
+    "desc",
+    "descendants",
+    "_firstdescendants",
+    "destination",
+    "divergent",
+    "draft",
+    "extinct",
+    "extra",
+    "file",
+    "filelog",
+    "first",
+    "follow",
+    "_followfirst",
+    "head",
+    "heads",
+    "hidden",
+    "id",
+    "keyword",
+    "last",
+    "limit",
+    "_matchfiles",
+    "max",
+    "merge",
+    "min",
+    "modifies",
+    "obsolete",
+    "origin",
+    "outgoing",
+    "p1",
+    "p2",
+    "parents",
+    "present",
+    "public",
+    "remote",
+    "removes",
+    "rev",
+    "reverse",
+    "roots",
+    "sort",
+    "secret",
+    "matching",
+    "tag",
+    "tagged",
+    "user",
+    "unstable",
+    "_list",
+])
+
 methods = {
     "range": rangeset,
     "dagrange": dagrange,