##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r29841:d5883fd0 default
r32050:77eaf953 4.1.3 stable
Show More
children.py
69 lines | 2.1 KiB | text/x-python | PythonLexer
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783 # Mercurial extension to provide the 'hg children' command
#
# Copyright 2007 by Intevation GmbH <intevation@intevation.de>
Martin Geisler
add blank line after copyright notices and after header
r8228 #
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783 # Author(s):
# Thomas Arendsen Hein <thomas@intevation.de>
#
Martin Geisler
updated license to be explicit about GPL version 2
r8225 # This software may be used and distributed according to the terms of the
Matt Mackall
Update license to GPLv2+
r10263 # GNU General Public License version 2 or any later version.
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783
Augie Fackler
children: mark extension as deprecated
r16668 '''command to display child changesets (DEPRECATED)
Martin Geisler
children: use hg reST role for example
r16670 This extension is deprecated. You should use :hg:`log -r
"children(REV)"` instead.
Augie Fackler
children: mark extension as deprecated
r16668 '''
Dirkjan Ochtman
help: add/fix docstrings for a bunch of extensions
r8873
Gregory Szorc
children: use absolute_import
r28093 from __future__ import absolute_import
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783 from mercurial.i18n import _
Gregory Szorc
children: use absolute_import
r28093 from mercurial import (
cmdutil,
commands,
)
templateopts = commands.templateopts
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783
Gregory Szorc
children: declare command using decorator
r21248 cmdtable = {}
command = cmdutil.command(cmdtable)
Augie Fackler
extensions: change magic "shipped with hg" string...
r29841 # Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for
Augie Fackler
extensions: document that `testedwith = 'internal'` is special...
r25186 # extensions which SHIP WITH MERCURIAL. Non-mainline extensions should
# be specifying the version(s) of Mercurial they are tested with, or
# leave the attribute unspecified.
Augie Fackler
extensions: change magic "shipped with hg" string...
r29841 testedwith = 'ships-with-hg-core'
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783
Gregory Szorc
children: declare command using decorator
r21248 @command('children',
[('r', 'rev', '',
_('show children of the specified revision'), _('REV')),
] + templateopts,
Gregory Szorc
children: define inferrepo in command decorator
r21780 _('hg children [-r REV] [FILE]'),
inferrepo=True)
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783 def children(ui, repo, file_=None, **opts):
Martin Geisler
expand "dir" to "directory" in help texts
r8026 """show the children of the given or working directory revision
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783
Martin Geisler
children: wrap docstrings at 70 characters
r9253 Print the children of the working directory's revisions. If a
revision is given via -r/--rev, the children of that revision will
be printed. If a file argument is given, revision in which the
file was last changed (after the working directory revision or the
argument to --rev if given) is printed.
timeless
children: update help with replacement
r27716
Please use :hg:`log` instead::
timeless
children: use double quotes for arguments...
r28799 hg children => hg log -r "children()"
hg children -r REV => hg log -r "children(REV)"
timeless
children: update help with replacement
r27716
See :hg:`help log` and :hg:`help revsets.children`.
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783 """
rev = opts.get('rev')
if file_:
Yuya Nishihara
children: don't pass filectx to displayer...
r24482 fctx = repo.filectx(file_, changeid=rev)
childctxs = [fcctx.changectx() for fcctx in fctx.children()]
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783 else:
Matt Mackall
use repo[changeid] to get a changectx
r6747 ctx = repo[rev]
Yuya Nishihara
children: don't pass filectx to displayer...
r24482 childctxs = ctx.children()
Thomas Arendsen Hein
Add extension to provide the 'hg children' command (with tests)
r4783
displayer = cmdutil.show_changeset(ui, repo, opts)
Yuya Nishihara
children: don't pass filectx to displayer...
r24482 for cctx in childctxs:
Dirkjan Ochtman
cmdutil: use change contexts for cset-printer and cset-templater
r7369 displayer.show(cctx)
Robert Bachmann
Added support for templatevar "footer" to cmdutil.py
r10152 displayer.close()