| Submitter | Yuya Nishihara |
|---|---|
| Date | Sept. 7, 2018, 1:39 p.m. |
| Message ID | <70d6fff1bccfe8760f06.1536327587@mimosa> |
| Download | mbox | patch |
| Permalink | /patch/34391/ |
| State | Accepted |
| Headers | show |
Comments
queued, thanks > On Sep 7, 2018, at 9:39 AM, Yuya Nishihara <yuya@tcha.org> wrote: > > # HG changeset patch > # User Yuya Nishihara <yuya@tcha.org> > # Date 1535289489 -32400 > # Sun Aug 26 22:18:09 2018 +0900 > # Node ID 70d6fff1bccfe8760f06bc92ca0b23a61c3ddca9 > # Parent 61b6dff6e23fde7831422b5787430a32003a4d33 > hgweb: do not audit URL path as working-directory path > > Since hgweb is an interface to repository data, we don't need to prohibit > any paths conflicting within the filesystem. Still an access to working > files is audited by filectx. > > diff --git a/mercurial/hgweb/webutil.py b/mercurial/hgweb/webutil.py > --- a/mercurial/hgweb/webutil.py > +++ b/mercurial/hgweb/webutil.py > @@ -320,7 +320,8 @@ def branchentries(repo, stripecount, lim > > def cleanpath(repo, path): > path = path.lstrip('/') > - return pathutil.canonpath(repo.root, '', path) > + auditor = pathutil.pathauditor(repo.root, realfs=False) > + return pathutil.canonpath(repo.root, '', path, auditor=auditor) > > def changectx(repo, req): > changeid = "tip" > diff --git a/tests/test-hgwebdir.t b/tests/test-hgwebdir.t > --- a/tests/test-hgwebdir.t > +++ b/tests/test-hgwebdir.t > @@ -1231,14 +1231,15 @@ Test subrepositories inside intermediate > > f2 > > -Test accessing file that is shadowed by another repository > +Test accessing file that could be shadowed by another repository if the URL > +path were audited as a working-directory path: > > $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw' > - 403 Forbidden > - > + 200 Script output follows > > - error: path 'f3/file' is inside nested repo 'f3' > - [1] > + f3/file > + > +Test accessing working-directory file that is shadowed by another repository > > $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw' > 403 Forbidden > _______________________________________________ > Mercurial-devel mailing list > Mercurial-devel@mercurial-scm.org > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Patch
diff --git a/mercurial/hgweb/webutil.py b/mercurial/hgweb/webutil.py --- a/mercurial/hgweb/webutil.py +++ b/mercurial/hgweb/webutil.py @@ -320,7 +320,8 @@ def branchentries(repo, stripecount, lim def cleanpath(repo, path): path = path.lstrip('/') - return pathutil.canonpath(repo.root, '', path) + auditor = pathutil.pathauditor(repo.root, realfs=False) + return pathutil.canonpath(repo.root, '', path, auditor=auditor) def changectx(repo, req): changeid = "tip" diff --git a/tests/test-hgwebdir.t b/tests/test-hgwebdir.t --- a/tests/test-hgwebdir.t +++ b/tests/test-hgwebdir.t @@ -1231,14 +1231,15 @@ Test subrepositories inside intermediate f2 -Test accessing file that is shadowed by another repository +Test accessing file that could be shadowed by another repository if the URL +path were audited as a working-directory path: $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw' - 403 Forbidden - + 200 Script output follows - error: path 'f3/file' is inside nested repo 'f3' - [1] + f3/file + +Test accessing working-directory file that is shadowed by another repository $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw' 403 Forbidden