Patchwork D2936: hgweb: don't responsd to api requests unless feature is enabled

login
register
mail settings
Submitter phabricator
Date March 23, 2018, 6:20 p.m.
Message ID <differential-rev-PHID-DREV-w6ahqrwrj32nzw2xajb6-req@phab.mercurial-scm.org>
Download mbox | patch
Permalink /patch/29797/
State Superseded
Headers show

Comments

phabricator - March 23, 2018, 6:20 p.m.
indygreg created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  Per discussion at https://phab.mercurial-scm.org/D2834, new URLs
  in hgweb can conflict with subrepos and virtual repos. This may prevent
  access to repos in certain paths or having certain names.
  
  Until we have a workaround for this, let's not serve requests for
  "api/" URLs unless the feature is enabled.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D2936

AFFECTED FILES
  mercurial/hgweb/hgweb_mod.py
  tests/test-http-api.t

CHANGE DETAILS




To: indygreg, #hg-reviewers
Cc: mercurial-devel
phabricator - March 24, 2018, 2:57 a.m.
yuja added a comment.


  Queued, many thanks.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D2936

To: indygreg, #hg-reviewers, yuja
Cc: mercurial-devel

Patch

diff --git a/tests/test-http-api.t b/tests/test-http-api.t
--- a/tests/test-http-api.t
+++ b/tests/test-http-api.t
@@ -8,43 +8,133 @@ 
 
 Request to /api fails unless web.apiserver is enabled
 
-  $ send << EOF
-  > httprequest GET api
-  >     user-agent: test
-  > EOF
-  using raw connection to peer
-  s>     GET /api HTTP/1.1\r\n
-  s>     Accept-Encoding: identity\r\n
-  s>     user-agent: test\r\n
-  s>     host: $LOCALIP:$HGPORT\r\n (glob)
-  s>     \r\n
-  s> makefile('rb', None)
-  s>     HTTP/1.1 404 Not Found\r\n
-  s>     Server: testing stub value\r\n
-  s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Type: text/plain\r\n
-  s>     Content-Length: 44\r\n
-  s>     \r\n
-  s>     Experimental API server endpoint not enabled
+  $ get-with-headers.py $LOCALIP:$HGPORT api
+  400 no such method: api
+  
+  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
+  <head>
+  <link rel="icon" href="/static/hgicon.png" type="image/png" />
+  <meta name="robots" content="index, nofollow" />
+  <link rel="stylesheet" href="/static/style-paper.css" type="text/css" />
+  <script type="text/javascript" src="/static/mercurial.js"></script>
+  
+  <title>$TESTTMP/server: error</title>
+  </head>
+  <body>
+  
+  <div class="container">
+  <div class="menu">
+  <div class="logo">
+  <a href="https://mercurial-scm.org/">
+  <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a>
+  </div>
+  <ul>
+  <li><a href="/shortlog">log</a></li>
+  <li><a href="/graph">graph</a></li>
+  <li><a href="/tags">tags</a></li>
+  <li><a href="/bookmarks">bookmarks</a></li>
+  <li><a href="/branches">branches</a></li>
+  </ul>
+  <ul>
+  <li><a href="/help">help</a></li>
+  </ul>
+  </div>
+  
+  <div class="main">
+  
+  <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2>
+  <h3>error</h3>
+  
+  
+  <form class="search" action="/log">
+  
+  <p><input name="rev" id="search1" type="text" size="30" value="" /></p>
+  <div id="hint">Find changesets by keywords (author, files, the commit message), revision
+  number or hash, or <a href="/help/revsets">revset expression</a>.</div>
+  </form>
+  
+  <div class="description">
+  <p>
+  An error occurred while processing your request:
+  </p>
+  <p>
+  no such method: api
+  </p>
+  </div>
+  </div>
+  </div>
+  
+  
+  
+  </body>
+  </html>
+  
+  [1]
 
-  $ send << EOF
-  > httprequest GET api/
-  >     user-agent: test
-  > EOF
-  using raw connection to peer
-  s>     GET /api/ HTTP/1.1\r\n
-  s>     Accept-Encoding: identity\r\n
-  s>     user-agent: test\r\n
-  s>     host: $LOCALIP:$HGPORT\r\n (glob)
-  s>     \r\n
-  s> makefile('rb', None)
-  s>     HTTP/1.1 404 Not Found\r\n
-  s>     Server: testing stub value\r\n
-  s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Type: text/plain\r\n
-  s>     Content-Length: 44\r\n
-  s>     \r\n
-  s>     Experimental API server endpoint not enabled
+  $ get-with-headers.py $LOCALIP:$HGPORT api/
+  400 no such method: api
+  
+  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
+  <head>
+  <link rel="icon" href="/static/hgicon.png" type="image/png" />
+  <meta name="robots" content="index, nofollow" />
+  <link rel="stylesheet" href="/static/style-paper.css" type="text/css" />
+  <script type="text/javascript" src="/static/mercurial.js"></script>
+  
+  <title>$TESTTMP/server: error</title>
+  </head>
+  <body>
+  
+  <div class="container">
+  <div class="menu">
+  <div class="logo">
+  <a href="https://mercurial-scm.org/">
+  <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a>
+  </div>
+  <ul>
+  <li><a href="/shortlog">log</a></li>
+  <li><a href="/graph">graph</a></li>
+  <li><a href="/tags">tags</a></li>
+  <li><a href="/bookmarks">bookmarks</a></li>
+  <li><a href="/branches">branches</a></li>
+  </ul>
+  <ul>
+  <li><a href="/help">help</a></li>
+  </ul>
+  </div>
+  
+  <div class="main">
+  
+  <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2>
+  <h3>error</h3>
+  
+  
+  <form class="search" action="/log">
+  
+  <p><input name="rev" id="search1" type="text" size="30" value="" /></p>
+  <div id="hint">Find changesets by keywords (author, files, the commit message), revision
+  number or hash, or <a href="/help/revsets">revset expression</a>.</div>
+  </form>
+  
+  <div class="description">
+  <p>
+  An error occurred while processing your request:
+  </p>
+  <p>
+  no such method: api
+  </p>
+  </div>
+  </div>
+  </div>
+  
+  
+  
+  </body>
+  </html>
+  
+  [1]
 
 Restart server with support for API server
 
diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py
+++ b/mercurial/hgweb/hgweb_mod.py
@@ -321,8 +321,11 @@ 
             res.headers['Content-Security-Policy'] = rctx.csp
 
         # /api/* is reserved for various API implementations. Dispatch
-        # accordingly.
-        if req.dispatchparts and req.dispatchparts[0] == b'api':
+        # accordingly. But URL paths can conflict with subrepos and virtual
+        # repos in hgwebdir. So until we have a workaround for this, only
+        # expose the URLs if the feature is enabled.
+        apienabled = rctx.repo.ui.configbool('experimental', 'web.apiserver')
+        if apienabled and req.dispatchparts and req.dispatchparts[0] == b'api':
             wireprotoserver.handlewsgiapirequest(rctx, req, res,
                                                  self.check_perm)
             return res.sendresponse()