Patchwork [STABLE] hgweb: prevent loading style map from directories other than specified paths

login
register
mail settings
Submitter Yuya Nishihara
Date March 13, 2015, 1:07 p.m.
Message ID <9b026695b81ce9f8c380.1426252040@mimosa>
Download mbox | patch
Permalink /patch/8047/
State Accepted
Commit b73a22d1d9bfe3a7f8633340ea75a0ab1526c21b
Headers show

Comments

Yuya Nishihara - March 13, 2015, 1:07 p.m.
# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1426249139 -32400
#      Fri Mar 13 21:18:59 2015 +0900
# Branch stable
# Node ID 9b026695b81ce9f8c3807cdb2c10613bffb5dd1c
# Parent  3cc630be5f09ab586e1ca3f015456fe5611e6333
hgweb: prevent loading style map from directories other than specified paths

A style name should not contain "/", "\", "." and "..". Otherwise, templates
could be loaded from outside of the specified templates directory by invalid
?style= parameter. hgweb should not allow such requests.

This change means subdir/name is also rejected.
Matt Mackall - March 13, 2015, 5:14 p.m.
On Fri, 2015-03-13 at 22:07 +0900, Yuya Nishihara wrote:
> # HG changeset patch
> # User Yuya Nishihara <yuya@tcha.org>
> # Date 1426249139 -32400
> #      Fri Mar 13 21:18:59 2015 +0900
> # Branch stable
> # Node ID 9b026695b81ce9f8c3807cdb2c10613bffb5dd1c
> # Parent  3cc630be5f09ab586e1ca3f015456fe5611e6333
> hgweb: prevent loading style map from directories other than specified paths

Queued for stable, thanks.

Patch

diff --git a/mercurial/templater.py b/mercurial/templater.py
--- a/mercurial/templater.py
+++ b/mercurial/templater.py
@@ -747,7 +747,11 @@  def stylemap(styles, paths=None):
         styles = [styles]
 
     for style in styles:
-        if not style:
+        # only plain name is allowed to honor template paths
+        if (not style
+            or style in (os.curdir, os.pardir)
+            or os.sep in style
+            or os.altsep and os.altsep in style):
             continue
         locations = [os.path.join(style, 'map'), 'map-' + style]
         locations.append('map')
diff --git a/tests/test-hgweb.t b/tests/test-hgweb.t
--- a/tests/test-hgweb.t
+++ b/tests/test-hgweb.t
@@ -578,6 +578,45 @@  phase changes are refreshed (issue4061)
   
   
 
+no style can be loaded from directories other than the specified paths
+
+  $ mkdir -p x/templates/fallback
+  $ cat <<EOF > x/templates/fallback/map
+  > default = 'shortlog'
+  > shortlog = 'fall back to default\n'
+  > mimetype = 'text/plain'
+  > EOF
+  $ cat <<EOF > x/map
+  > default = 'shortlog'
+  > shortlog = 'access to outside of templates directory\n'
+  > mimetype = 'text/plain'
+  > EOF
+
+  $ "$TESTDIR/killdaemons.py" $DAEMON_PIDS
+  $ hg serve -p $HGPORT -d --pid-file=hg.pid -A access.log -E errors.log \
+  > --config web.style=fallback --config web.templates=x/templates
+  $ cat hg.pid >> $DAEMON_PIDS
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT "?style=`pwd`/x"
+  200 Script output follows
+  
+  fall back to default
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=..'
+  200 Script output follows
+  
+  fall back to default
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=./..'
+  200 Script output follows
+  
+  fall back to default
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=.../.../'
+  200 Script output follows
+  
+  fall back to default
+
 errors
 
   $ cat errors.log