upstream/mercurial-mirror Files · contrib/hg-ssh

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...

dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

Augie Fackler - - Load All Authors

File last commit:

r32050:77eaf953 4.1.3 stable


                r32050:77eaf953

4.1.3 stable

Download file

             hg-ssh
        
                    87 lines
            
             | 3.0 KiB
            
                | text/plain
            
             |
                TextLexer

/ contrib / hg-ssh

History | Source | Raw |Copy content |Copy permalink

Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537	#!/usr/bin/env python
		#
Thomas Arendsen Hein Adjust contrib/hg-ssh for moved dispatch() function.	r5191	# Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
Martin Geisler add blank line after copyright notices and after header	r8228	#
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537	# Author(s):
		# Thomas Arendsen Hein <thomas@intevation.de>
		#
Martin Geisler updated license to be explicit about GPL version 2	r8225	# This software may be used and distributed according to the terms of the
Matt Mackall Update license to GPLv2+	r10263	# GNU General Public License version 2 or any later version.
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537
		"""
		hg-ssh - a wrapper for ssh access to a limited set of mercurial repos

		To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):
		command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
		(probably together with these other useful options:
		no-port-forwarding,no-X11-forwarding,no-agent-forwarding)

Andreas Freimuth hg-ssh: fix duplicate word in docstring	r13996	This allows pull/push over ssh from/to the repositories given as arguments.
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537
		If all your repositories are subdirectories of a common directory, you can
		allow shorter paths with:
		command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"
Thomas Arendsen Hein Added hint to hg-ssh that you can use shell pattern matching.	r1640
		You can use pattern matching of your normal shell, e.g.:
		command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"
David Schleimer hg-ssh: read-only flag...	r16836
		You can also add a --read-only flag to allow read-only access to a key, e.g.:
		command="hg-ssh --read-only repos/*"
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537	"""

Thomas Arendsen Hein Enable demandimport only in scripts, not in importable modules (issue605)...	r5197	# enable importing on demand to reduce startup time
		from mercurial import demandimport; demandimport.enable()

Augie Fackler dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...	r32050	from mercurial import dispatch, ui as uimod
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537
Mads Kiilerich hg-ssh: use shlex for shell-like parsing of SSH_ORIGINAL_COMMAND...	r15897	import sys, os, shlex
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537
David Schleimer hg-ssh: refactor to have main() method...	r16779	def main():
		cwd = os.getcwd()
David Schleimer hg-ssh: read-only flag...	r16836	readonly = False
		args = sys.argv[1:]
		while len(args):
		if args[0] == '--read-only':
		readonly = True
		args.pop(0)
		else:
		break
David Schleimer hg-ssh: refactor to have main() method...	r16779	allowed_paths = [os.path.normpath(os.path.join(cwd,
		os.path.expanduser(path)))
David Schleimer hg-ssh: read-only flag...	r16836	for path in args]
David Schleimer hg-ssh: refactor to have main() method...	r16779	orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')
		try:
		cmdargv = shlex.split(orig_cmd)
FUJIWARA Katsunori misc: use modern exception syntax...	r28047	except ValueError as e:
David Schleimer hg-ssh: refactor to have main() method...	r16779	sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))
		sys.exit(255)
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537
David Schleimer hg-ssh: refactor to have main() method...	r16779	if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:
		path = cmdargv[2]
		repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
		if repo in allowed_paths:
David Schleimer hg-ssh: read-only flag...	r16836	cmd = ['-R', repo, 'serve', '--stdio']
Augie Fackler dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...	r32050	req = dispatch.request(cmd)
David Schleimer hg-ssh: read-only flag...	r16836	if readonly:
Augie Fackler dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...	r32050	if not req.ui:
		req.ui = uimod.ui.load()
		req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
		'python:__main__.rejectpush', 'hg-ssh')
		req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
		'python:__main__.rejectpush', 'hg-ssh')
		dispatch.dispatch(req)
David Schleimer hg-ssh: refactor to have main() method...	r16779	else:
		sys.stderr.write('Illegal repository "%s"\n' % repo)
		sys.exit(255)
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537	else:
David Schleimer hg-ssh: refactor to have main() method...	r16779	sys.stderr.write('Illegal command "%s"\n' % orig_cmd)
Mads Kiilerich hg-ssh: exit with 255 instead of -1 on error...	r16607	sys.exit(255)
Thomas Arendsen Hein Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos...	r1537
David Schleimer hg-ssh: read-only flag...	r16836	def rejectpush(ui, **kwargs):
FUJIWARA Katsunori hg-ssh: parenthesize non-translated message...	r28045	ui.warn(("Permission denied\n"))
David Schleimer hg-ssh: read-only flag...	r16836	# mercurial hooks use unix process conventions for hook return values
		# so a truthy return means failure
		return True

David Schleimer hg-ssh: refactor to have main() method...	r16779	if __name__ == '__main__':
		main()

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages