From patchwork Mon Sep 22 15:48:57 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: hgweb: fail if an invalid command was supplied in url path (issue4071) From: Anton Shestakov X-Patchwork-Id: 5914 Message-Id: To: mercurial-devel@selenic.com Date: Tue, 23 Sep 2014 00:48:57 +0900 # HG changeset patch # User Anton Shestakov # Date 1411397198 -32400 # Mon Sep 22 23:46:38 2014 +0900 # Node ID e7a296512bdffc2238b6acceb6e2314a2842b900 # Parent 5e16fe6fdd32124c3295db5ec40b076084cc5bd4 hgweb: fail if an invalid command was supplied in url path (issue4071) Currently hgweb produces an http 400 error only if an invalid command was supplied using url query (i.e. "?cmd=badcmd"). If an invalid command was supplied as a url path fragment (i.e. "/badcmd/"), hgweb silently falls back to rendering the repo overview page ("/"). This is inconsistent and breaks some tools that rely on http status codes (as noted in the issue4071). So this patch makes hgweb fail in both cases with "400 no such method". That issue, however, is about a command with some arguments, such as revision and file ("/badcmd/tip/foo.txt"). It is possible to fix only that case, but this particular patch is more generic and will make hgweb produce 400 status code even if the command is not followed by any arguments ("/badcmd"). diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py --- a/mercurial/hgweb/hgweb_mod.py +++ b/mercurial/hgweb/hgweb_mod.py @@ -200,8 +200,6 @@ class hgweb(object): # avoid accepting e.g. style parameter as command if util.safehasattr(webcommands, cmd): req.form['cmd'] = [cmd] - else: - cmd = '' if cmd == 'static': req.form['file'] = ['/'.join(args)] diff --git a/tests/test-hgweb.t b/tests/test-hgweb.t --- a/tests/test-hgweb.t +++ b/tests/test-hgweb.t @@ -122,6 +122,20 @@ should give a 400 - bad command error: no such method: spam [1] +should give a 400 - bad command as a part of url path (issue4071) + + $ "$TESTDIR/get-with-headers.py" --headeronly localhost:$HGPORT 'spam' + 400 no such method: spam + [1] + + $ "$TESTDIR/get-with-headers.py" --headeronly localhost:$HGPORT 'raw-spam' + 400 no such method: spam + [1] + + $ "$TESTDIR/get-with-headers.py" --headeronly localhost:$HGPORT 'spam/tip/foo' + 400 no such method: spam + [1] + should give a 404 - file does not exist $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT 'file/tip/bork?style=raw' @@ -308,7 +322,7 @@ stop and restart Test the access/error files are opened in append mode $ python -c "print len(file('access.log').readlines()), 'log lines written'" - 10 log lines written + 13 log lines written static file