Patchwork [23,of,23] hgwebdir: read 'web.template' untrusted

login
register
mail settings
Submitter Boris Feld
Date Sept. 16, 2017, 6:28 p.m.
Message ID <57231a130210d31431b7.1505586510@FB>
Download mbox | patch
Permalink /patch/23975/
State Accepted
Headers show

Comments

Boris Feld - Sept. 16, 2017, 6:28 p.m.
# HG changeset patch
# User Boris Feld <boris.feld@octobus.net>
# Date 1505494670 -7200
#      ven. sept. 15 18:57:50 2017 +0200
# Node ID 57231a130210d31431b727a74d91165c7802d387
# Parent  93a8e90493a27207b281f1bcf19bdf0ae6d115ca
# EXP-Topic config.cleanup
hgwebdir: read 'web.template' untrusted

The 'hgweb_mod.py' version of this read it untrusted. For consistency we align
the two versions of this code.
Gregory Szorc - Sept. 16, 2017, 8:42 p.m.
On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net> wrote:

> # HG changeset patch
> # User Boris Feld <boris.feld@octobus.net>
> # Date 1505494670 -7200
> #      ven. sept. 15 18:57:50 2017 +0200
> # Node ID 57231a130210d31431b727a74d91165c7802d387
> # Parent  93a8e90493a27207b281f1bcf19bdf0ae6d115ca
> # EXP-Topic config.cleanup
> hgwebdir: read 'web.template' untrusted
>
> The 'hgweb_mod.py' version of this read it untrusted. For consistency we
> align
> the two versions of this code.
>

Hmm.

This is related to 1a45e49a6bed and represents a potential security issue.

Could you please send a patch against stable so we can get this in the
4.3.2 release?


>
> diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py
> --- a/mercurial/hgweb/hgwebdir_mod.py   ven. juin 30 03:45:53 2017 +0200
> +++ b/mercurial/hgweb/hgwebdir_mod.py   ven. sept. 15 18:57:50 2017 +0200
> @@ -174,7 +174,7 @@
>          self.ui = u
>          encoding.encoding = self.ui.config('web', 'encoding')
>          self.style = self.ui.config('web', 'style')
> -        self.templatepath = self.ui.config('web', 'templates')
> +        self.templatepath = self.ui.config('web', 'templates',
> untrusted=False)
>          self.stripecount = self.ui.config('web', 'stripes')
>          if self.stripecount:
>              self.stripecount = int(self.stripecount)
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
>
Augie Fackler - Sept. 16, 2017, 9:28 p.m.
> On Sep 16, 2017, at 4:42 PM, Gregory Szorc <gregory.szorc@gmail.com> wrote:
> 
> On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net <mailto:boris.feld@octobus.net>> wrote:
> # HG changeset patch
> # User Boris Feld <boris.feld@octobus.net <mailto:boris.feld@octobus.net>>
> # Date 1505494670 -7200
> #      ven. sept. 15 18:57:50 2017 +0200
> # Node ID 57231a130210d31431b727a74d91165c7802d387
> # Parent  93a8e90493a27207b281f1bcf19bdf0ae6d115ca
> # EXP-Topic config.cleanup
> hgwebdir: read 'web.template' untrusted
> 
> The 'hgweb_mod.py' version of this read it untrusted. For consistency we align
> the two versions of this code.
> 
> Hmm.
> 
> This is related to 1a45e49a6bed and represents a potential security issue.
> 
> Could you please send a patch against stable so we can get this in the 4.3.2 release?

+1. Also, should the trusted-ness of a config setting be something that’s a property of its registration, rather than its use? Can we think of configurations that have a dual nature depending on context?

>  
> 
> diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py
> --- a/mercurial/hgweb/hgwebdir_mod.py   ven. juin 30 03:45:53 2017 +0200
> +++ b/mercurial/hgweb/hgwebdir_mod.py   ven. sept. 15 18:57:50 2017 +0200
> @@ -174,7 +174,7 @@
>          self.ui = u
>          encoding.encoding = self.ui.config('web', 'encoding')
>          self.style = self.ui.config('web', 'style')
> -        self.templatepath = self.ui.config('web', 'templates')
> +        self.templatepath = self.ui.config('web', 'templates', untrusted=False)
>          self.stripecount = self.ui.config('web', 'stripes')
>          if self.stripecount:
>              self.stripecount = int(self.stripecount)
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@mercurial-scm.org <mailto:Mercurial-devel@mercurial-scm.org>
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel <https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel>
> 
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@mercurial-scm.org <mailto:Mercurial-devel@mercurial-scm.org>
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel <https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel>
Gregory Szorc - Sept. 16, 2017, 11:05 p.m.
> On Sep 16, 2017, at 14:28, Augie Fackler <raf@durin42.com> wrote:
> 
> 
>> On Sep 16, 2017, at 4:42 PM, Gregory Szorc <gregory.szorc@gmail.com> wrote:
>> 
>>> On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net> wrote:
>>> # HG changeset patch
>>> # User Boris Feld <boris.feld@octobus.net>
>>> # Date 1505494670 -7200
>>> #      ven. sept. 15 18:57:50 2017 +0200
>>> # Node ID 57231a130210d31431b727a74d91165c7802d387
>>> # Parent  93a8e90493a27207b281f1bcf19bdf0ae6d115ca
>>> # EXP-Topic config.cleanup
>>> hgwebdir: read 'web.template' untrusted
>>> 
>>> The 'hgweb_mod.py' version of this read it untrusted. For consistency we align
>>> the two versions of this code.
>> 
>> Hmm.
>> 
>> This is related to 1a45e49a6bed and represents a potential security issue.
>> 
>> Could you please send a patch against stable so we can get this in the 4.3.2 release?
> 
> +1. Also, should the trusted-ness of a config setting be something that’s a property of its registration, rather than its use? Can we think of configurations that have a dual nature depending on context?

I think it should. I can't think of any dual nature configs.

> 
>>  
>>> 
>>> diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py
>>> --- a/mercurial/hgweb/hgwebdir_mod.py   ven. juin 30 03:45:53 2017 +0200
>>> +++ b/mercurial/hgweb/hgwebdir_mod.py   ven. sept. 15 18:57:50 2017 +0200
>>> @@ -174,7 +174,7 @@
>>>          self.ui = u
>>>          encoding.encoding = self.ui.config('web', 'encoding')
>>>          self.style = self.ui.config('web', 'style')
>>> -        self.templatepath = self.ui.config('web', 'templates')
>>> +        self.templatepath = self.ui.config('web', 'templates', untrusted=False)
>>>          self.stripecount = self.ui.config('web', 'stripes')
>>>          if self.stripecount:
>>>              self.stripecount = int(self.stripecount)
>>> _______________________________________________
>>> Mercurial-devel mailing list
>>> Mercurial-devel@mercurial-scm.org
>>> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
>> 
>> _______________________________________________
>> Mercurial-devel mailing list
>> Mercurial-devel@mercurial-scm.org
>> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
>
Boris Feld - Sept. 18, 2017, 7:51 a.m.
On Sat, 2017-09-16 at 13:42 -0700, Gregory Szorc wrote:
> On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net>
> wrote:
> > # HG changeset patch
> > 
> > # User Boris Feld <boris.feld@octobus.net>
> > 
> > # Date 1505494670 -7200
> > 
> > #      ven. sept. 15 18:57:50 2017 +0200
> > 
> > # Node ID 57231a130210d31431b727a74d91165c7802d387
> > 
> > # Parent  93a8e90493a27207b281f1bcf19bdf0ae6d115ca
> > 
> > # EXP-Topic config.cleanup
> > 
> > hgwebdir: read 'web.template' untrusted
> > 
> > 
> > 
> > The 'hgweb_mod.py' version of this read it untrusted. For
> > consistency we align
> > 
> > the two versions of this code.
> 
> Hmm.
> 
> This is related to 1a45e49a6bed and represents a potential security
> issue.
> 
> Could you please send a patch against stable so we can get this in
> the 4.3.2 release?

Yes of course, sending it right now
>  
> > 
> > diff -r 93a8e90493a2 -r 57231a130210
> > mercurial/hgweb/hgwebdir_mod.py
> > 
> > --- a/mercurial/hgweb/hgwebdir_mod.py   ven. juin 30 03:45:53 2017
> > +0200
> > 
> > +++ b/mercurial/hgweb/hgwebdir_mod.py   ven. sept. 15 18:57:50 2017
> > +0200
> > 
> > @@ -174,7 +174,7 @@
> > 
> >          self.ui = u
> > 
> >          encoding.encoding = self.ui.config('web', 'encoding')
> > 
> >          self.style = self.ui.config('web', 'style')
> > 
> > -        self.templatepath = self.ui.config('web', 'templates')
> > 
> > +        self.templatepath = self.ui.config('web', 'templates',
> > untrusted=False)
> > 
> >          self.stripecount = self.ui.config('web', 'stripes')
> > 
> >          if self.stripecount:
> > 
> >              self.stripecount = int(self.stripecount)
> > 
> > _______________________________________________
> > 
> > Mercurial-devel mailing list
> > 
> > Mercurial-devel@mercurial-scm.org
> > 
> > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
> > 
> >

Patch

diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py	ven. juin 30 03:45:53 2017 +0200
+++ b/mercurial/hgweb/hgwebdir_mod.py	ven. sept. 15 18:57:50 2017 +0200
@@ -174,7 +174,7 @@ 
         self.ui = u
         encoding.encoding = self.ui.config('web', 'encoding')
         self.style = self.ui.config('web', 'style')
-        self.templatepath = self.ui.config('web', 'templates')
+        self.templatepath = self.ui.config('web', 'templates', untrusted=False)
         self.stripecount = self.ui.config('web', 'stripes')
         if self.stripecount:
             self.stripecount = int(self.stripecount)