##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r31941:ac552702 default
r32050:77eaf953 4.1.3 stable
Show More
hgclient.c
620 lines | 15.3 KiB | text/x-c | CLexer
Yuya Nishihara
chg: import frontend sources...
r28060 /*
* A command server client that uses Unix domain socket
*
* Copyright (c) 2011 Yuya Nishihara <yuya@tcha.org>
*
* This software may be used and distributed according to the terms of the
* GNU General Public License version 2 or any later version.
*/
#include <arpa/inet.h> /* for ntohl(), htonl() */
#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/un.h>
#include <unistd.h>
#include "hgclient.h"
Jun Wu
chg: handle pager request client-side...
r30738 #include "procutil.h"
Yuya Nishihara
chg: import frontend sources...
r28060 #include "util.h"
enum {
CAP_GETENCODING = 0x0001,
CAP_RUNCOMMAND = 0x0002,
/* cHg extension: */
CAP_ATTACHIO = 0x0100,
CAP_CHDIR = 0x0200,
CAP_SETENV = 0x0800,
Jun Wu
chg: forward umask from client to server...
r28160 CAP_SETUMASK = 0x1000,
Jun Wu
chg: implement validate in hgclient...
r28356 CAP_VALIDATE = 0x2000,
Jun Wu
chg: change server's process title...
r30751 CAP_SETPROCNAME = 0x4000,
Yuya Nishihara
chg: import frontend sources...
r28060 };
typedef struct {
const char *name;
unsigned int flag;
} cappair_t;
static const cappair_t captable[] = {
{"getencoding", CAP_GETENCODING},
{"runcommand", CAP_RUNCOMMAND},
{"attachio", CAP_ATTACHIO},
{"chdir", CAP_CHDIR},
{"setenv", CAP_SETENV},
Jun Wu
chg: forward umask from client to server...
r28160 {"setumask", CAP_SETUMASK},
Jun Wu
chg: implement validate in hgclient...
r28356 {"validate", CAP_VALIDATE},
Jun Wu
chg: change server's process title...
r30751 {"setprocname", CAP_SETPROCNAME},
Yuya Nishihara
chg: import frontend sources...
r28060 {NULL, 0}, /* terminator */
};
typedef struct {
char ch;
char *data;
size_t maxdatasize;
size_t datasize;
} context_t;
struct hgclient_tag_ {
int sockfd;
Jun Wu
chg: add pgid to hgclient struct...
r29581 pid_t pgid;
Yuya Nishihara
chg: import frontend sources...
r28060 pid_t pid;
context_t ctx;
unsigned int capflags;
};
static const size_t defaultdatasize = 4096;
Jun Wu
chg: handle pager request client-side...
r30738 static void attachio(hgclient_t *hgc);
Yuya Nishihara
chg: import frontend sources...
r28060 static void initcontext(context_t *ctx)
{
ctx->ch = '\0';
ctx->data = malloc(defaultdatasize);
ctx->maxdatasize = (ctx->data) ? defaultdatasize : 0;
ctx->datasize = 0;
debugmsg("initialize context buffer with size %zu", ctx->maxdatasize);
}
static void enlargecontext(context_t *ctx, size_t newsize)
{
if (newsize <= ctx->maxdatasize)
return;
newsize = defaultdatasize
* ((newsize + defaultdatasize - 1) / defaultdatasize);
Jun Wu
chg: use mallocx and reallocx in hgclient...
r28166 ctx->data = reallocx(ctx->data, newsize);
Yuya Nishihara
chg: import frontend sources...
r28060 ctx->maxdatasize = newsize;
debugmsg("enlarge context buffer to %zu", ctx->maxdatasize);
}
static void freecontext(context_t *ctx)
{
debugmsg("free context buffer");
free(ctx->data);
ctx->data = NULL;
ctx->maxdatasize = 0;
ctx->datasize = 0;
}
/* Read channeled response from cmdserver */
static void readchannel(hgclient_t *hgc)
{
assert(hgc);
ssize_t rsize = recv(hgc->sockfd, &hgc->ctx.ch, sizeof(hgc->ctx.ch), 0);
Jun Wu
chg: downgrade "failed to read channel" from abortmsg to debugmsg...
r28551 if (rsize != sizeof(hgc->ctx.ch)) {
/* server would have exception and traceback would be printed */
debugmsg("failed to read channel");
exit(255);
}
Yuya Nishihara
chg: import frontend sources...
r28060
uint32_t datasize_n;
rsize = recv(hgc->sockfd, &datasize_n, sizeof(datasize_n), 0);
if (rsize != sizeof(datasize_n))
abortmsg("failed to read data size");
/* datasize denotes the maximum size to write if input request */
hgc->ctx.datasize = ntohl(datasize_n);
enlargecontext(&hgc->ctx, hgc->ctx.datasize);
if (isupper(hgc->ctx.ch) && hgc->ctx.ch != 'S')
return; /* assumes input request */
size_t cursize = 0;
while (cursize < hgc->ctx.datasize) {
rsize = recv(hgc->sockfd, hgc->ctx.data + cursize,
hgc->ctx.datasize - cursize, 0);
Yuya Nishihara
chg: just take it as EOF if recv() returns 0...
r29719 if (rsize < 1)
Yuya Nishihara
chg: import frontend sources...
r28060 abortmsg("failed to read data block");
cursize += rsize;
}
}
static void sendall(int sockfd, const void *data, size_t datasize)
{
const char *p = data;
const char *const endp = p + datasize;
while (p < endp) {
ssize_t r = send(sockfd, p, endp - p, 0);
if (r < 0)
Jun Wu
chg: replace abortmsg showing errno with abortmsgerrno...
r28789 abortmsgerrno("cannot communicate");
Yuya Nishihara
chg: import frontend sources...
r28060 p += r;
}
}
/* Write lengh-data block to cmdserver */
static void writeblock(const hgclient_t *hgc)
{
assert(hgc);
const uint32_t datasize_n = htonl(hgc->ctx.datasize);
sendall(hgc->sockfd, &datasize_n, sizeof(datasize_n));
sendall(hgc->sockfd, hgc->ctx.data, hgc->ctx.datasize);
}
static void writeblockrequest(const hgclient_t *hgc, const char *chcmd)
{
debugmsg("request %s, block size %zu", chcmd, hgc->ctx.datasize);
char buf[strlen(chcmd) + 1];
memcpy(buf, chcmd, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = '\n';
sendall(hgc->sockfd, buf, sizeof(buf));
writeblock(hgc);
}
/* Build '\0'-separated list of args. argsize < 0 denotes that args are
* terminated by NULL. */
static void packcmdargs(context_t *ctx, const char *const args[],
ssize_t argsize)
{
ctx->datasize = 0;
const char *const *const end = (argsize >= 0) ? args + argsize : NULL;
for (const char *const *it = args; it != end && *it; ++it) {
const size_t n = strlen(*it) + 1; /* include '\0' */
enlargecontext(ctx, ctx->datasize + n);
memcpy(ctx->data + ctx->datasize, *it, n);
ctx->datasize += n;
}
if (ctx->datasize > 0)
--ctx->datasize; /* strip last '\0' */
}
/* Extract '\0'-separated list of args to new buffer, terminated by NULL */
static const char **unpackcmdargsnul(const context_t *ctx)
{
const char **args = NULL;
size_t nargs = 0, maxnargs = 0;
const char *s = ctx->data;
const char *e = ctx->data + ctx->datasize;
for (;;) {
if (nargs + 1 >= maxnargs) { /* including last NULL */
maxnargs += 256;
Jun Wu
chg: use mallocx and reallocx in hgclient...
r28166 args = reallocx(args, maxnargs * sizeof(args[0]));
Yuya Nishihara
chg: import frontend sources...
r28060 }
args[nargs] = s;
nargs++;
s = memchr(s, '\0', e - s);
if (!s)
break;
s++;
}
args[nargs] = NULL;
return args;
}
static void handlereadrequest(hgclient_t *hgc)
{
context_t *ctx = &hgc->ctx;
size_t r = fread(ctx->data, sizeof(ctx->data[0]), ctx->datasize, stdin);
ctx->datasize = r;
writeblock(hgc);
}
/* Read single-line */
static void handlereadlinerequest(hgclient_t *hgc)
{
context_t *ctx = &hgc->ctx;
if (!fgets(ctx->data, ctx->datasize, stdin))
ctx->data[0] = '\0';
ctx->datasize = strlen(ctx->data);
writeblock(hgc);
}
/* Execute the requested command and write exit code */
static void handlesystemrequest(hgclient_t *hgc)
{
context_t *ctx = &hgc->ctx;
enlargecontext(ctx, ctx->datasize + 1);
ctx->data[ctx->datasize] = '\0'; /* terminate last string */
const char **args = unpackcmdargsnul(ctx);
Jun Wu
chg: send type information via S channel (BC)...
r30726 if (!args[0] || !args[1] || !args[2])
abortmsg("missing type or command or cwd in system request");
Jun Wu
chg: check type read from S channel...
r30728 if (strcmp(args[0], "system") == 0) {
debugmsg("run '%s' at '%s'", args[1], args[2]);
int32_t r = runshellcmd(args[1], args + 3, args[2]);
free(args);
Yuya Nishihara
chg: import frontend sources...
r28060
Jun Wu
chg: check type read from S channel...
r30728 uint32_t r_n = htonl(r);
memcpy(ctx->data, &r_n, sizeof(r_n));
ctx->datasize = sizeof(r_n);
writeblock(hgc);
Jun Wu
chg: handle pager request client-side...
r30738 } else if (strcmp(args[0], "pager") == 0) {
setuppager(args[1]);
if (hgc->capflags & CAP_ATTACHIO)
attachio(hgc);
/* unblock the server */
static const char emptycmd[] = "\n";
sendall(hgc->sockfd, emptycmd, sizeof(emptycmd) - 1);
Jun Wu
chg: check type read from S channel...
r30728 } else {
abortmsg("unknown type in system request: %s", args[0]);
}
Yuya Nishihara
chg: import frontend sources...
r28060 }
/* Read response of command execution until receiving 'r'-esult */
static void handleresponse(hgclient_t *hgc)
{
for (;;) {
readchannel(hgc);
context_t *ctx = &hgc->ctx;
debugmsg("response read from channel %c, size %zu",
ctx->ch, ctx->datasize);
switch (ctx->ch) {
case 'o':
fwrite(ctx->data, sizeof(ctx->data[0]), ctx->datasize,
stdout);
break;
case 'e':
fwrite(ctx->data, sizeof(ctx->data[0]), ctx->datasize,
stderr);
break;
case 'd':
/* assumes last char is '\n' */
ctx->data[ctx->datasize - 1] = '\0';
debugmsg("server: %s", ctx->data);
break;
case 'r':
return;
case 'I':
handlereadrequest(hgc);
break;
case 'L':
handlereadlinerequest(hgc);
break;
case 'S':
handlesystemrequest(hgc);
break;
default:
if (isupper(ctx->ch))
abortmsg("cannot handle response (ch = %c)",
ctx->ch);
}
}
}
static unsigned int parsecapabilities(const char *s, const char *e)
{
unsigned int flags = 0;
while (s < e) {
const char *t = strchr(s, ' ');
if (!t || t > e)
t = e;
const cappair_t *cap;
for (cap = captable; cap->flag; ++cap) {
size_t n = t - s;
if (strncmp(s, cap->name, n) == 0 &&
strlen(cap->name) == n) {
flags |= cap->flag;
break;
}
}
s = t + 1;
}
return flags;
}
static void readhello(hgclient_t *hgc)
{
readchannel(hgc);
context_t *ctx = &hgc->ctx;
Yuya Nishihara
chg: provide early exception to user...
r28512 if (ctx->ch != 'o') {
char ch = ctx->ch;
if (ch == 'e') {
/* write early error and will exit */
fwrite(ctx->data, sizeof(ctx->data[0]), ctx->datasize,
stderr);
handleresponse(hgc);
}
abortmsg("unexpected channel of hello message (ch = %c)", ch);
}
Yuya Nishihara
chg: import frontend sources...
r28060 enlargecontext(ctx, ctx->datasize + 1);
ctx->data[ctx->datasize] = '\0';
debugmsg("hello received: %s (size = %zu)", ctx->data, ctx->datasize);
const char *s = ctx->data;
const char *const dataend = ctx->data + ctx->datasize;
while (s < dataend) {
const char *t = strchr(s, ':');
if (!t || t[1] != ' ')
break;
const char *u = strchr(t + 2, '\n');
if (!u)
u = dataend;
if (strncmp(s, "capabilities:", t - s + 1) == 0) {
hgc->capflags = parsecapabilities(t + 2, u);
Jun Wu
chg: add pgid to hgclient struct...
r29581 } else if (strncmp(s, "pgid:", t - s + 1) == 0) {
hgc->pgid = strtol(t + 2, NULL, 10);
Yuya Nishihara
chg: import frontend sources...
r28060 } else if (strncmp(s, "pid:", t - s + 1) == 0) {
hgc->pid = strtol(t + 2, NULL, 10);
}
s = u + 1;
}
debugmsg("capflags=0x%04x, pid=%d", hgc->capflags, hgc->pid);
}
Jun Wu
chg: change server's process title...
r30751 static void updateprocname(hgclient_t *hgc)
{
Jun Wu
chg: check snprintf result strictly...
r30756 int r = snprintf(hgc->ctx.data, hgc->ctx.maxdatasize,
Jun Wu
chg: change server's process title...
r30751 "chg[worker/%d]", (int)getpid());
Jun Wu
chg: check snprintf result strictly...
r30756 if (r < 0 || (size_t)r >= hgc->ctx.maxdatasize)
abortmsg("insufficient buffer to write procname (r = %d)", r);
hgc->ctx.datasize = (size_t)r;
Jun Wu
chg: change server's process title...
r30751 writeblockrequest(hgc, "setprocname");
}
Yuya Nishihara
chg: import frontend sources...
r28060 static void attachio(hgclient_t *hgc)
{
debugmsg("request attachio");
static const char chcmd[] = "attachio\n";
sendall(hgc->sockfd, chcmd, sizeof(chcmd) - 1);
readchannel(hgc);
context_t *ctx = &hgc->ctx;
if (ctx->ch != 'I')
abortmsg("unexpected response for attachio (ch = %c)", ctx->ch);
static const int fds[3] = {STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO};
struct msghdr msgh;
memset(&msgh, 0, sizeof(msgh));
struct iovec iov = {ctx->data, ctx->datasize}; /* dummy payload */
msgh.msg_iov = &iov;
msgh.msg_iovlen = 1;
char fdbuf[CMSG_SPACE(sizeof(fds))];
msgh.msg_control = fdbuf;
msgh.msg_controllen = sizeof(fdbuf);
struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msgh);
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
cmsg->cmsg_len = CMSG_LEN(sizeof(fds));
memcpy(CMSG_DATA(cmsg), fds, sizeof(fds));
msgh.msg_controllen = cmsg->cmsg_len;
ssize_t r = sendmsg(hgc->sockfd, &msgh, 0);
if (r < 0)
Jun Wu
chg: replace abortmsg showing errno with abortmsgerrno...
r28789 abortmsgerrno("sendmsg failed");
Yuya Nishihara
chg: import frontend sources...
r28060
handleresponse(hgc);
int32_t n;
if (ctx->datasize != sizeof(n))
abortmsg("unexpected size of attachio result");
memcpy(&n, ctx->data, sizeof(n));
n = ntohl(n);
if (n != sizeof(fds) / sizeof(fds[0]))
abortmsg("failed to send fds (n = %d)", n);
}
static void chdirtocwd(hgclient_t *hgc)
{
if (!getcwd(hgc->ctx.data, hgc->ctx.maxdatasize))
Jun Wu
chg: replace abortmsg showing errno with abortmsgerrno...
r28789 abortmsgerrno("failed to getcwd");
Yuya Nishihara
chg: import frontend sources...
r28060 hgc->ctx.datasize = strlen(hgc->ctx.data);
writeblockrequest(hgc, "chdir");
}
Jun Wu
chg: forward umask from client to server...
r28160 static void forwardumask(hgclient_t *hgc)
{
mode_t mask = umask(0);
umask(mask);
static const char command[] = "setumask\n";
sendall(hgc->sockfd, command, sizeof(command) - 1);
uint32_t data = htonl(mask);
sendall(hgc->sockfd, &data, sizeof(data));
}
Yuya Nishihara
chg: import frontend sources...
r28060 /*!
* Open connection to per-user cmdserver
*
* If no background server running, returns NULL.
*/
hgclient_t *hgc_open(const char *sockname)
{
int fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd < 0)
Jun Wu
chg: replace abortmsg showing errno with abortmsgerrno...
r28789 abortmsgerrno("cannot create socket");
Yuya Nishihara
chg: import frontend sources...
r28060
/* don't keep fd on fork(), so that it can be closed when the parent
* process get terminated. */
Jun Wu
chg: extract the logic of setting FD_CLOEXEC to a utility function...
r28855 fsetcloexec(fd);
Yuya Nishihara
chg: import frontend sources...
r28060
struct sockaddr_un addr;
addr.sun_family = AF_UNIX;
Jun Wu
chg: let hgc_open support long path...
r30675
/* use chdir to workaround small sizeof(sun_path) */
int bakfd = -1;
const char *basename = sockname;
{
const char *split = strrchr(sockname, '/');
if (split && split != sockname) {
if (split[1] == '\0')
abortmsg("sockname cannot end with a slash");
size_t len = split - sockname;
char sockdir[len + 1];
memcpy(sockdir, sockname, len);
sockdir[len] = '\0';
bakfd = open(".", O_DIRECTORY);
if (bakfd == -1)
abortmsgerrno("cannot open cwd");
int r = chdir(sockdir);
if (r != 0)
abortmsgerrno("cannot chdir %s", sockdir);
basename = split + 1;
}
}
if (strlen(basename) >= sizeof(addr.sun_path))
abortmsg("sockname is too long: %s", basename);
strncpy(addr.sun_path, basename, sizeof(addr.sun_path));
Yuya Nishihara
chg: import frontend sources...
r28060 addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
Jun Wu
chg: let hgc_open support long path...
r30675 /* real connect */
Yuya Nishihara
chg: import frontend sources...
r28060 int r = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
Jun Wu
chg: handle connect failure before errno gets overridden...
r30679 if (r < 0) {
if (errno != ENOENT && errno != ECONNREFUSED)
abortmsgerrno("cannot connect to %s", sockname);
}
Jun Wu
chg: let hgc_open support long path...
r30675 if (bakfd != -1) {
fchdirx(bakfd);
close(bakfd);
}
Yuya Nishihara
chg: import frontend sources...
r28060 if (r < 0) {
close(fd);
Jun Wu
chg: handle connect failure before errno gets overridden...
r30679 return NULL;
Yuya Nishihara
chg: import frontend sources...
r28060 }
Jun Wu
chg: make connect debug message less repetitive...
r28769 debugmsg("connected to %s", addr.sun_path);
Yuya Nishihara
chg: import frontend sources...
r28060
Jun Wu
chg: use mallocx and reallocx in hgclient...
r28166 hgclient_t *hgc = mallocx(sizeof(hgclient_t));
Yuya Nishihara
chg: import frontend sources...
r28060 memset(hgc, 0, sizeof(*hgc));
hgc->sockfd = fd;
initcontext(&hgc->ctx);
readhello(hgc);
if (!(hgc->capflags & CAP_RUNCOMMAND))
abortmsg("insufficient capability: runcommand");
Jun Wu
chg: change server's process title...
r30751 if (hgc->capflags & CAP_SETPROCNAME)
updateprocname(hgc);
Yuya Nishihara
chg: import frontend sources...
r28060 if (hgc->capflags & CAP_ATTACHIO)
attachio(hgc);
if (hgc->capflags & CAP_CHDIR)
chdirtocwd(hgc);
Jun Wu
chg: forward umask from client to server...
r28160 if (hgc->capflags & CAP_SETUMASK)
forwardumask(hgc);
Yuya Nishihara
chg: import frontend sources...
r28060
return hgc;
}
/*!
* Close connection and free allocated memory
*/
void hgc_close(hgclient_t *hgc)
{
assert(hgc);
freecontext(&hgc->ctx);
close(hgc->sockfd);
free(hgc);
}
Jun Wu
chg: add pgid to hgclient struct...
r29581 pid_t hgc_peerpgid(const hgclient_t *hgc)
{
assert(hgc);
return hgc->pgid;
}
Yuya Nishihara
chg: import frontend sources...
r28060 pid_t hgc_peerpid(const hgclient_t *hgc)
{
assert(hgc);
return hgc->pid;
}
/*!
Jun Wu
chg: implement validate in hgclient...
r28356 * Send command line arguments to let the server load the repo config and check
* whether it can process our request directly or not.
* Make sure hgc_setenv is called before calling this.
*
* @return - NULL, the server believes it can handle our request, or does not
* support "validate" command.
Jun Wu
chgserver: add an explicit "reconnect" instruction to validate...
r28535 * - a list of strings, the server probably cannot handle our request
* and it sent instructions telling us what to do next. See
Jun Wu
chg: implement validate in hgclient...
r28356 * chgserver.py for possible instruction formats.
* the list should be freed by the caller.
* the last string is guaranteed to be NULL.
*/
const char **hgc_validate(hgclient_t *hgc, const char *const args[],
size_t argsize)
{
assert(hgc);
if (!(hgc->capflags & CAP_VALIDATE))
return NULL;
packcmdargs(&hgc->ctx, args, argsize);
writeblockrequest(hgc, "validate");
handleresponse(hgc);
/* the server returns '\0' if it can handle our request */
if (hgc->ctx.datasize <= 1)
return NULL;
/* make sure the buffer is '\0' terminated */
enlargecontext(&hgc->ctx, hgc->ctx.datasize + 1);
hgc->ctx.data[hgc->ctx.datasize] = '\0';
return unpackcmdargsnul(&hgc->ctx);
}
/*!
Yuya Nishihara
chg: import frontend sources...
r28060 * Execute the specified Mercurial command
*
* @return result code
*/
int hgc_runcommand(hgclient_t *hgc, const char *const args[], size_t argsize)
{
assert(hgc);
packcmdargs(&hgc->ctx, args, argsize);
writeblockrequest(hgc, "runcommand");
handleresponse(hgc);
int32_t exitcode_n;
if (hgc->ctx.datasize != sizeof(exitcode_n)) {
abortmsg("unexpected size of exitcode");
}
memcpy(&exitcode_n, hgc->ctx.data, sizeof(exitcode_n));
return ntohl(exitcode_n);
}
/*!
* (Re-)send client's stdio channels so that the server can access to tty
*/
void hgc_attachio(hgclient_t *hgc)
{
assert(hgc);
if (!(hgc->capflags & CAP_ATTACHIO))
return;
attachio(hgc);
}
/*!
* Update server's environment variables
*
* @param envp list of environment variables in "NAME=VALUE" format,
* terminated by NULL.
*/
void hgc_setenv(hgclient_t *hgc, const char *const envp[])
{
assert(hgc && envp);
if (!(hgc->capflags & CAP_SETENV))
return;
packcmdargs(&hgc->ctx, envp, /*argsize*/ -1);
writeblockrequest(hgc, "setenv");
}