##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r30180:736f92c4 default
r32050:77eaf953 4.1.3 stable
Show More
localstore.py
68 lines | 2.4 KiB | text/x-python | PythonLexer
various
hgext: add largefiles extension...
r15168 # Copyright 2009-2010 Gregory P. Ward
# Copyright 2009-2010 Intelerad Medical Systems Incorporated
# Copyright 2010-2011 Fog Creek Software
# Copyright 2010-2011 Unity Technologies
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
Greg Ward
largefiles: improve comments, internal docstrings...
r15252 '''store class for local filesystem'''
liscju
py3: make largefiles/localstore.py use absolute_import
r29310 from __future__ import absolute_import
various
hgext: add largefiles extension...
r15168
from mercurial.i18n import _
Mads Kiilerich
largefiles: always use filechunkiter when iterating files...
r30180 from mercurial import util
various
hgext: add largefiles extension...
r15168
liscju
py3: make largefiles/localstore.py use absolute_import
r29310 from . import (
basestore,
lfutil,
)
various
hgext: add largefiles extension...
r15168
class localstore(basestore.basestore):
Benjamin Pollack
largefiles: make the store primary, and the user cache secondary...
r15317 '''localstore first attempts to grab files out of the store in the remote
Mads Kiilerich
fix trivial spelling errors
r17424 Mercurial repository. Failing that, it attempts to grab the files from
Benjamin Pollack
largefiles: make the store primary, and the user cache secondary...
r15317 the user cache.'''
various
hgext: add largefiles extension...
r15168
def __init__(self, ui, repo, remote):
Sune Foldager
peer: introduce peer methods to prepare for peer classes...
r17191 self.remote = remote.local()
Mads Kiilerich
largefiles: cleanup of warnings on errors getting largefiles...
r18155 super(localstore, self).__init__(ui, repo, self.remote.url())
various
hgext: add largefiles extension...
r15168
Benjamin Pollack
largefiles: make the store primary, and the user cache secondary...
r15317 def put(self, source, hash):
if lfutil.instore(self.remote, hash):
return
Mads Kiilerich
largefiles: 'put' should store 'source' file in under 'hash', also in localstore
r19007 lfutil.link(source, lfutil.storepath(self.remote, hash))
various
hgext: add largefiles extension...
r15168
Matt Harbison
largefiles: adjust localstore to handle batch statlfile requests (issue3583)...
r17411 def exists(self, hashes):
retval = {}
for hash in hashes:
retval[hash] = lfutil.instore(self.remote, hash)
return retval
various
hgext: add largefiles extension...
r15168 def _getfile(self, tmpfile, filename, hash):
Mads Kiilerich
largefiles: refactoring - use findfile in localstore._getfile
r19000 path = lfutil.findfile(self.remote, hash)
if not path:
Mads Kiilerich
largefiles: cleanup of warnings on errors getting largefiles...
r18155 raise basestore.StoreError(filename, hash, self.url,
Martin Geisler
largefiles: lowercase messages
r16928 _("can't get file locally"))
Bryan O'Sullivan
largefiles: use a context manager in _getfile
r27769 with open(path, 'rb') as fd:
Mads Kiilerich
largefiles: always use filechunkiter when iterating files...
r30180 return lfutil.copyandhash(
util.filechunkiter(fd), tmpfile)
various
hgext: add largefiles extension...
r15168
liscju
largefiles: change basestore._verifyfile to take list of files to check...
r29067 def _verifyfiles(self, contents, filestocheck):
failed = False
for cset, filename, expectedhash in filestocheck:
liscju
largefiles: check file in the repo store before checking remotely (issue5257)...
r29421 storepath, exists = lfutil.findstorepath(self.repo, expectedhash)
if not exists:
storepath, exists = lfutil.findstorepath(
self.remote, expectedhash)
liscju
largefiles: change basestore._verifyfile to take list of files to check...
r29067 if not exists:
various
hgext: add largefiles extension...
r15168 self.ui.warn(
liscju
largefiles: change basestore._verifyfile to take list of files to check...
r29067 _('changeset %s: %s references missing %s\n')
Mads Kiilerich
largefiles: report localstore errors with single line warnings messages...
r18545 % (cset, filename, storepath))
liscju
largefiles: change basestore._verifyfile to take list of files to check...
r29067 failed = True
elif contents:
actualhash = lfutil.hashfile(storepath)
if actualhash != expectedhash:
self.ui.warn(
_('changeset %s: %s references corrupted %s\n')
% (cset, filename, storepath))
failed = True
return failed