Submitter | Boris Feld |
---|---|
Date | Sept. 16, 2017, 6:28 p.m. |
Message ID | <57231a130210d31431b7.1505586510@FB> |
Download | mbox | patch |
Permalink | /patch/23975/ |
State | Accepted |
Headers | show |
Comments
On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net> wrote: > # HG changeset patch > # User Boris Feld <boris.feld@octobus.net> > # Date 1505494670 -7200 > # ven. sept. 15 18:57:50 2017 +0200 > # Node ID 57231a130210d31431b727a74d91165c7802d387 > # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca > # EXP-Topic config.cleanup > hgwebdir: read 'web.template' untrusted > > The 'hgweb_mod.py' version of this read it untrusted. For consistency we > align > the two versions of this code. > Hmm. This is related to 1a45e49a6bed and represents a potential security issue. Could you please send a patch against stable so we can get this in the 4.3.2 release? > > diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py > --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 +0200 > +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 +0200 > @@ -174,7 +174,7 @@ > self.ui = u > encoding.encoding = self.ui.config('web', 'encoding') > self.style = self.ui.config('web', 'style') > - self.templatepath = self.ui.config('web', 'templates') > + self.templatepath = self.ui.config('web', 'templates', > untrusted=False) > self.stripecount = self.ui.config('web', 'stripes') > if self.stripecount: > self.stripecount = int(self.stripecount) > _______________________________________________ > Mercurial-devel mailing list > Mercurial-devel@mercurial-scm.org > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel >
> On Sep 16, 2017, at 4:42 PM, Gregory Szorc <gregory.szorc@gmail.com> wrote: > > On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net <mailto:boris.feld@octobus.net>> wrote: > # HG changeset patch > # User Boris Feld <boris.feld@octobus.net <mailto:boris.feld@octobus.net>> > # Date 1505494670 -7200 > # ven. sept. 15 18:57:50 2017 +0200 > # Node ID 57231a130210d31431b727a74d91165c7802d387 > # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca > # EXP-Topic config.cleanup > hgwebdir: read 'web.template' untrusted > > The 'hgweb_mod.py' version of this read it untrusted. For consistency we align > the two versions of this code. > > Hmm. > > This is related to 1a45e49a6bed and represents a potential security issue. > > Could you please send a patch against stable so we can get this in the 4.3.2 release? +1. Also, should the trusted-ness of a config setting be something that’s a property of its registration, rather than its use? Can we think of configurations that have a dual nature depending on context? > > > diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py > --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 +0200 > +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 +0200 > @@ -174,7 +174,7 @@ > self.ui = u > encoding.encoding = self.ui.config('web', 'encoding') > self.style = self.ui.config('web', 'style') > - self.templatepath = self.ui.config('web', 'templates') > + self.templatepath = self.ui.config('web', 'templates', untrusted=False) > self.stripecount = self.ui.config('web', 'stripes') > if self.stripecount: > self.stripecount = int(self.stripecount) > _______________________________________________ > Mercurial-devel mailing list > Mercurial-devel@mercurial-scm.org <mailto:Mercurial-devel@mercurial-scm.org> > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel <https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel> > > _______________________________________________ > Mercurial-devel mailing list > Mercurial-devel@mercurial-scm.org <mailto:Mercurial-devel@mercurial-scm.org> > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel <https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel>
> On Sep 16, 2017, at 14:28, Augie Fackler <raf@durin42.com> wrote: > > >> On Sep 16, 2017, at 4:42 PM, Gregory Szorc <gregory.szorc@gmail.com> wrote: >> >>> On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net> wrote: >>> # HG changeset patch >>> # User Boris Feld <boris.feld@octobus.net> >>> # Date 1505494670 -7200 >>> # ven. sept. 15 18:57:50 2017 +0200 >>> # Node ID 57231a130210d31431b727a74d91165c7802d387 >>> # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca >>> # EXP-Topic config.cleanup >>> hgwebdir: read 'web.template' untrusted >>> >>> The 'hgweb_mod.py' version of this read it untrusted. For consistency we align >>> the two versions of this code. >> >> Hmm. >> >> This is related to 1a45e49a6bed and represents a potential security issue. >> >> Could you please send a patch against stable so we can get this in the 4.3.2 release? > > +1. Also, should the trusted-ness of a config setting be something that’s a property of its registration, rather than its use? Can we think of configurations that have a dual nature depending on context? I think it should. I can't think of any dual nature configs. > >> >>> >>> diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py >>> --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 +0200 >>> +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 +0200 >>> @@ -174,7 +174,7 @@ >>> self.ui = u >>> encoding.encoding = self.ui.config('web', 'encoding') >>> self.style = self.ui.config('web', 'style') >>> - self.templatepath = self.ui.config('web', 'templates') >>> + self.templatepath = self.ui.config('web', 'templates', untrusted=False) >>> self.stripecount = self.ui.config('web', 'stripes') >>> if self.stripecount: >>> self.stripecount = int(self.stripecount) >>> _______________________________________________ >>> Mercurial-devel mailing list >>> Mercurial-devel@mercurial-scm.org >>> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel >> >> _______________________________________________ >> Mercurial-devel mailing list >> Mercurial-devel@mercurial-scm.org >> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel >
On Sat, 2017-09-16 at 13:42 -0700, Gregory Szorc wrote: > On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld@octobus.net> > wrote: > > # HG changeset patch > > > > # User Boris Feld <boris.feld@octobus.net> > > > > # Date 1505494670 -7200 > > > > # ven. sept. 15 18:57:50 2017 +0200 > > > > # Node ID 57231a130210d31431b727a74d91165c7802d387 > > > > # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca > > > > # EXP-Topic config.cleanup > > > > hgwebdir: read 'web.template' untrusted > > > > > > > > The 'hgweb_mod.py' version of this read it untrusted. For > > consistency we align > > > > the two versions of this code. > > Hmm. > > This is related to 1a45e49a6bed and represents a potential security > issue. > > Could you please send a patch against stable so we can get this in > the 4.3.2 release? Yes of course, sending it right now > > > > > diff -r 93a8e90493a2 -r 57231a130210 > > mercurial/hgweb/hgwebdir_mod.py > > > > --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 > > +0200 > > > > +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 > > +0200 > > > > @@ -174,7 +174,7 @@ > > > > self.ui = u > > > > encoding.encoding = self.ui.config('web', 'encoding') > > > > self.style = self.ui.config('web', 'style') > > > > - self.templatepath = self.ui.config('web', 'templates') > > > > + self.templatepath = self.ui.config('web', 'templates', > > untrusted=False) > > > > self.stripecount = self.ui.config('web', 'stripes') > > > > if self.stripecount: > > > > self.stripecount = int(self.stripecount) > > > > _______________________________________________ > > > > Mercurial-devel mailing list > > > > Mercurial-devel@mercurial-scm.org > > > > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel > > > >
Patch
diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 +0200 +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 +0200 @@ -174,7 +174,7 @@ self.ui = u encoding.encoding = self.ui.config('web', 'encoding') self.style = self.ui.config('web', 'style') - self.templatepath = self.ui.config('web', 'templates') + self.templatepath = self.ui.config('web', 'templates', untrusted=False) self.stripecount = self.ui.config('web', 'stripes') if self.stripecount: self.stripecount = int(self.stripecount)