Patchwork [2,of,2] lfs: ensure the transfer request is for a known URI

login
register
mail settings
Submitter Matt Harbison
Date April 1, 2018, 4 a.m.
Message ID <61133b211f50194afc52.1522555255@Envy>
Download mbox | patch
Permalink /patch/30098/
State Accepted
Headers show

Comments

Matt Harbison - April 1, 2018, 4 a.m.
# HG changeset patch
# User Matt Harbison <matt_harbison@yahoo.com>
# Date 1522555088 14400
#      Sat Mar 31 23:58:08 2018 -0400
# Node ID 61133b211f50194afc52f576d93c58d3f5f6c529
# Parent  bdef5a344ebfd54cf454b184e14d0c37400f7547
lfs: ensure the transfer request is for a known URI

Since the dispatching code only checks the beginning of the string, this
enforces that there's only one more path component.
Yuya Nishihara - April 1, 2018, 9:12 a.m.
On Sun, 01 Apr 2018 00:00:55 -0400, Matt Harbison wrote:
> # HG changeset patch
> # User Matt Harbison <matt_harbison@yahoo.com>
> # Date 1522555088 14400
> #      Sat Mar 31 23:58:08 2018 -0400
> # Node ID 61133b211f50194afc52f576d93c58d3f5f6c529
> # Parent  bdef5a344ebfd54cf454b184e14d0c37400f7547
> lfs: ensure the transfer request is for a known URI

Queued, thanks.

Patch

diff --git a/hgext/lfs/wireprotolfsserver.py b/hgext/lfs/wireprotolfsserver.py
--- a/hgext/lfs/wireprotolfsserver.py
+++ b/hgext/lfs/wireprotolfsserver.py
@@ -22,6 +22,7 @@  from mercurial import (
 HTTP_OK = hgwebcommon.HTTP_OK
 HTTP_CREATED = hgwebcommon.HTTP_CREATED
 HTTP_BAD_REQUEST = hgwebcommon.HTTP_BAD_REQUEST
+HTTP_NOT_FOUND = hgwebcommon.HTTP_NOT_FOUND
 
 def handlewsgirequest(orig, rctx, req, res, checkperm):
     """Wrap wireprotoserver.handlewsgirequest() to possibly process an LFS
@@ -241,6 +242,10 @@  def _processbasictransfer(repo, req, res
     oid = req.dispatchparts[-1]
     localstore = repo.svfs.lfslocalblobstore
 
+    if len(req.dispatchparts) != 4:
+        _sethttperror(res, HTTP_NOT_FOUND)
+        return True
+
     if method == b'PUT':
         checkperm('upload')