upstream/mercurial-mirror Files · CONTRIBUTORS

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...

dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

Matt Mackall - - Load All Authors

File last commit:

r5514:c29efd27 default


                r32050:77eaf953

4.1.3 stable

Download file

             CONTRIBUTORS
        
                    41 lines
            
             | 1.6 KiB
            
                | text/plain
            
             |
                TextLexer

/ CONTRIBUTORS

History | Source | Raw |Copy content |Copy permalink

Matt Mackall Add note to CONTRIBUTORS file	r5514	[This file is here for historical purposes, all recent contributors
		should appear in the changelog directly]

		Andrea Arcangeli <andrea at suse.de>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	Thomas Arendsen Hein <thomas at intevation.de>
		Goffredo Baroncelli <kreijack at libero.it>
Thomas Arendsen Hein Added new code contributors, fixed Vincent's name, added hint on encoding.	r756	Muli Ben-Yehuda <mulix at mulix.org>
		Mikael Berthe <mikael at lilotux.net>
Matt Mackall Add Benoit to CONTRIBUTORS	r1450	Benoit Boissinot <bboissin at gmail.com>
Brendan Cully Add self to contributors	r2947	Brendan Cully <brendan at kublai.com>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	Vincent Danjean <vdanjean.ml at free.fr>
		Jake Edge <jake at edge2.net>
		Michael Fetterman <michael.fetterman at intel.com>
		Edouard Gomez <ed.gomez at free.fr>
mpm@selenic.com CONTRIBUTORS update	r1231	Eric Hopper <hopper at omnifarious.org>
Thomas Arendsen Hein Added new code contributors, fixed Vincent's name, added hint on encoding.	r756	Alecs King <alecsk at gmail.com>
Thomas Arendsen Hein Updated CONTRIBUTORS.	r1310	Volker Kleinfeld <Volker.Kleinfeld at gmx.de>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	Vadim Lebedev <vadim at mbdsys.com>
		Christopher Li <hg at chrisli.org>
		Chris Mason <mason at suse.com>
Colin McMillen Add self to CONTRIBUTORS	r2162	Colin McMillen <mcmillen at cs.cmu.edu>
Thomas Arendsen Hein Updated list of contributors.	r1080	Wojciech Milkowski <wmilkowski at interia.pl>
Thomas Arendsen Hein Added new code contributors, fixed Vincent's name, added hint on encoding.	r756	Chad Netzer <chad.netzer at gmail.com>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	Bryan O'Sullivan <bos at serpentine.com>
Thomas Arendsen Hein Added new code contributors, fixed Vincent's name, added hint on encoding.	r756	Vicent Seguí Pascual <vseguip at gmail.com>
		Sean Perry <shaleh at speakeasy.net>
mpm@selenic.com Update CONTRIBUTORS...	r594	Nguyen Anh Quynh <aquynh at gmail.com>
Thomas Arendsen Hein Updated CONTRIBUTORS.	r1310	Ollivier Robert <roberto at keltia.freenix.fr>
Alexander Schremmer <alex AT alexanderweb DOT de> Added my name to the contributors list.	r2120	Alexander Schremmer <alex at alexanderweb.de>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	Arun Sharma <arun at sharma-home.net>
mpm@selenic.com CONTRIBUTORS update	r1231	Josef "Jeff" Sipek <jeffpc at optonline.net>
Thomas Arendsen Hein Updated CONTRIBUTORS.	r1310	Kevin Smith <yarcs at qualitycode.com>
mpm@selenic.com CONTRIBUTORS update	r1231	TK Soh <teekaysoh at yahoo.com>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	Radoslaw Szkodzinski <astralstorm at gorzow.mm.pl>
Thomas Arendsen Hein Added Samuel Tardieu to contributors list.	r851	Samuel Tardieu <sam at rfc1149.net>
mpm@selenic.com Add a CONTRIBUTORS file...	r519	K Thananchayan <thananck at yahoo.com>
		Andrew Thompson <andrewkt at aktzero.com>
		Michael S. Tsirkin <mst at mellanox.co.il>
		Rafael Villar Burke <pachi at mmn-arquitectos.com>
Thomas Arendsen Hein Added Tristan Wibberley to contributors.	r855	Tristan Wibberley <tristan at wibberley.org>
Thomas Arendsen Hein Added new code contributors, fixed Vincent's name, added hint on encoding.	r756	Mark Williamson <mark.williamson at cl.cam.ac.uk>

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages