##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

security bugfix simplehg wasn't checking for permissions on remote commands different than pull or push.
marcink -
r605:72bed562 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -87,14 +87,16 class SimpleHg(object):
87 log.error(traceback.format_exc())
87 log.error(traceback.format_exc())
88 return HTTPInternalServerError()(environ, start_response)
88 return HTTPInternalServerError()(environ, start_response)
89 #check permissions for this repository
89 #check permissions for this repository
90 if action == 'pull':
90
91 if not HasPermissionAnyMiddleware('repository.read',
91 if action == 'push':
92 'repository.write',
92 if not HasPermissionAnyMiddleware('repository.write',
93 'repository.admin')\
93 'repository.admin')\
94 (user, repo_name):
94 (user, repo_name):
95 return HTTPForbidden()(environ, start_response)
95 return HTTPForbidden()(environ, start_response)
96 if action == 'push':
96
97 if not HasPermissionAnyMiddleware('repository.write',
97 else:
98 if not HasPermissionAnyMiddleware('repository.read',
99 'repository.write',
98 'repository.admin')\
100 'repository.admin')\
99 (user, repo_name):
101 (user, repo_name):
100 return HTTPForbidden()(environ, start_response)
102 return HTTPForbidden()(environ, start_response)
@@ -141,9 +143,9 class SimpleHg(object):
141 Wrapper for custom messages that come out of mercurial respond messages
143 Wrapper for custom messages that come out of mercurial respond messages
142 is a list of messages that the user will see at the end of response
144 is a list of messages that the user will see at the end of response
143 from merurial protocol actions that involves remote answers
145 from merurial protocol actions that involves remote answers
144 @param app:
146 :param app:
145 @param environ:
147 :param environ:
146 @param start_response:
148 :param start_response:
147 """
149 """
148 def custom_messages(msg_list):
150 def custom_messages(msg_list):
149 for msg in msg_list:
151 for msg in msg_list:
@@ -164,7 +166,8 class SimpleHg(object):
164 def __get_action(self, environ):
166 def __get_action(self, environ):
165 """
167 """
166 Maps mercurial request commands into a pull or push command.
168 Maps mercurial request commands into a pull or push command.
167 @param environ:
169 This should return generally always something
170 :param environ:
168 """
171 """
169 mapping = {'changegroup': 'pull',
172 mapping = {'changegroup': 'pull',
170 'changegroupsubset': 'pull',
173 'changegroupsubset': 'pull',
@@ -172,12 +175,13 class SimpleHg(object):
172 'listkeys': 'pull',
175 'listkeys': 'pull',
173 'unbundle': 'push',
176 'unbundle': 'push',
174 'pushkey': 'push', }
177 'pushkey': 'push', }
175
176 for qry in environ['QUERY_STRING'].split('&'):
178 for qry in environ['QUERY_STRING'].split('&'):
177 if qry.startswith('cmd'):
179 if qry.startswith('cmd'):
178 cmd = qry.split('=')[-1]
180 cmd = qry.split('=')[-1]
179 if mapping.has_key(cmd):
181 if mapping.has_key(cmd):
180 return mapping[cmd]
182 return mapping[cmd]
183 else:
184 return cmd
181
185
182 def __log_user_action(self, user, action, repo, ipaddr):
186 def __log_user_action(self, user, action, repo, ipaddr):
183 action_logger(user, action, repo, ipaddr)
187 action_logger(user, action, repo, ipaddr)
@@ -191,7 +195,7 class SimpleHg(object):
191
195
192
196
193 def __load_web_settings(self, hgserve):
197 def __load_web_settings(self, hgserve):
194 #set the global ui for hgserve
198 #set the global ui for hgserve instance passed
195 hgserve.repo.ui = self.baseui
199 hgserve.repo.ui = self.baseui
196
200
197 hgrc = os.path.join(self.repo_path, '.hg', 'hgrc')
201 hgrc = os.path.join(self.repo_path, '.hg', 'hgrc')
General Comments 0
You need to be logged in to leave comments. Login now