##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r30765:eb7de21b default
r32050:77eaf953 4.1.3 stable
Show More
test-hgweb-removed.t
243 lines | 6.9 KiB | text/troff | Tads3Lexer
/ tests / test-hgweb-removed.t
Matt Mackall
tests: replace exit 80 with #require
r22046 #require serve
Mads Kiilerich
tests: use 'hghave serve' to guard tests that requires serve daemon management
r15446
Matt Mackall
tests: unify test-hgweb-removed
r12442 setting up repo
$ hg init test
$ cd test
$ echo a > a
$ hg ci -Ama
adding a
$ hg rm a
$ hg ci -mdel
set up hgweb
$ hg serve -n test -p $HGPORT -d --pid-file=hg.pid -A access.log -E errors.log
$ cat hg.pid >> $DAEMON_PIDS
revision
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ get-with-headers.py localhost:$HGPORT 'rev/tip'
Matt Mackall
tests: unify test-hgweb-removed
r12442 200 Script output follows
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
<head>
<link rel="icon" href="/static/hgicon.png" type="image/png" />
<meta name="robots" content="index, nofollow" />
<link rel="stylesheet" href="/static/style-paper.css" type="text/css" />
Benoit Allard
web: Made elapsed time calculation dynamic (javascript)....
r14046 <script type="text/javascript" src="/static/mercurial.js"></script>
Matt Mackall
tests: unify test-hgweb-removed
r12442
<title>test: c78f6c5cbea9</title>
</head>
<body>
<div class="container">
<div class="menu">
<div class="logo">
Matt Mackall
urls: bulk-change primary website URLs
r26421 <a href="https://mercurial-scm.org/">
Matt Mackall
tests: unify test-hgweb-removed
r12442 <img src="/static/hglogo.png" alt="mercurial" /></a>
</div>
<ul>
av6
hgweb: don't dereference symbolic revision in paper & coal style (issue2296)...
r25606 <li><a href="/shortlog/tip">log</a></li>
<li><a href="/graph/tip">graph</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 <li><a href="/tags">tags</a></li>
Alexander Solovyov
hgweb: add separate page with bookmarks listing
r13597 <li><a href="/bookmarks">bookmarks</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 <li><a href="/branches">branches</a></li>
</ul>
<ul>
<li class="active">changeset</li>
av6
hgweb: don't dereference symbolic revision in paper & coal style (issue2296)...
r25606 <li><a href="/raw-rev/tip">raw</a></li>
<li><a href="/file/tip">browse</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </ul>
<ul>
</ul>
Augie Fackler
web: add a help view for getting hg help output
r12666 <ul>
<li><a href="/help">help</a></li>
</ul>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </div>
<div class="main">
Bryan O'Sullivan
tests: update hgweb tests to include breadcrumbs
r18264 <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2>
av6
hgweb: link to revision by node hash in paper & coal...
r25617 <h3>
changeset 1:<a href="/rev/c78f6c5cbea9">c78f6c5cbea9</a>
<span class="tag">tip</span>
</h3>
Matt Mackall
tests: unify test-hgweb-removed
r12442
<form class="search" action="/log">
<p><input name="rev" id="search1" type="text" size="30" /></p>
Alexander Plavin
paper: edit search hint to include new feature description
r19796 <div id="hint">Find changesets by keywords (author, files, the commit message), revision
number or hash, or <a href="/help/revsets">revset expression</a>.</div>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </form>
<div class="description">del</div>
<table id="changesetEntry">
<tr>
<th class="author">author</th>
<td class="author">&#116;&#101;&#115;&#116;</td>
</tr>
<tr>
<th class="date">date</th>
Anton Shestakov
hgweb: clearly outline <tr> block in paper/changeset.tmpl...
r24130 <td class="date age">Thu, 01 Jan 1970 00:00:00 +0000</td>
</tr>
Matt Mackall
tests: unify test-hgweb-removed
r12442 <tr>
<th class="author">parents</th>
<td class="author"><a href="/rev/cb9a9f314b8b">cb9a9f314b8b</a> </td>
</tr>
<tr>
<th class="author">children</th>
<td class="author"></td>
</tr>
<tr>
<th class="files">files</th>
<td class="files">a </td>
</tr>
Steven Brown
paper, coal: display diffstat on the changeset page...
r14571 <tr>
<th class="diffstat">diffstat</th>
<td class="diffstat">
1 files changed, 0 insertions(+), 1 deletions(-)
Anton Shestakov
hgweb: fix diffstat links in paper/changeset.tmpl...
r23831 <a id="diffstatexpand" href="javascript:toggleDiffstat()">[<tt>+</tt>]</a>
Steven Brown
paper, coal: display diffstat on the changeset page...
r14571 <div id="diffstatdetails" style="display:none;">
Anton Shestakov
hgweb: fix diffstat links in paper/changeset.tmpl...
r23831 <a href="javascript:toggleDiffstat()">[<tt>-</tt>]</a>
Anton Shestakov
hgweb: use css margin instead of empty <p> before diffstat table...
r24042 <table class="diffstat-table stripes2"> <tr>
Steven Brown
paper, coal: display diffstat on the changeset page...
r14571 <td class="diffstat-file"><a href="#l1.1">a</a></td>
<td class="diffstat-total" align="right">1</td>
<td class="diffstat-graph">
<span class="diffstat-add" style="width:0.0%;">&nbsp;</span>
<span class="diffstat-remove" style="width:100.0%;">&nbsp;</span>
</td>
</tr>
</table>
</div>
</td>
</tr>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </table>
<div class="overflow">
Alexander Plavin
hgweb: add line wrapping switch to file diff and changeset views
r19433 <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
Alexander Plavin
hgweb: file diff and changesets views behave like file source view...
r19432 <div class="sourcefirst"> line diff</div>
<div class="stripes2 diffblocks">
<div class="bottomline inc-lineno"><pre class="sourcelines wrap">
<span id="l1.1" class="minusline">--- a/a Thu Jan 01 00:00:00 1970 +0000</span><a href="#l1.1"></a>
<span id="l1.2" class="plusline">+++ /dev/null Thu Jan 01 00:00:00 1970 +0000</span><a href="#l1.2"></a>
<span id="l1.3" class="atline">@@ -1,1 +0,0 @@</span><a href="#l1.3"></a>
<span id="l1.4" class="minusline">-a</span><a href="#l1.4"></a></pre></div>
</div>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </div>
</div>
</div>
</body>
</html>
diff removed file
Matt Mackall
tests: drop explicit $TESTDIR from executables...
r25472 $ get-with-headers.py localhost:$HGPORT 'diff/tip/a'
Matt Mackall
tests: unify test-hgweb-removed
r12442 200 Script output follows
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
<head>
<link rel="icon" href="/static/hgicon.png" type="image/png" />
<meta name="robots" content="index, nofollow" />
<link rel="stylesheet" href="/static/style-paper.css" type="text/css" />
Benoit Allard
web: Made elapsed time calculation dynamic (javascript)....
r14046 <script type="text/javascript" src="/static/mercurial.js"></script>
Matt Mackall
tests: unify test-hgweb-removed
r12442
<title>test: a diff</title>
</head>
<body>
<div class="container">
<div class="menu">
<div class="logo">
Matt Mackall
urls: bulk-change primary website URLs
r26421 <a href="https://mercurial-scm.org/">
Matt Mackall
tests: unify test-hgweb-removed
r12442 <img src="/static/hglogo.png" alt="mercurial" /></a>
</div>
<ul>
av6
hgweb: don't dereference symbolic revision in paper & coal style (issue2296)...
r25606 <li><a href="/shortlog/tip">log</a></li>
<li><a href="/graph/tip">graph</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 <li><a href="/tags">tags</a></li>
Alexander Solovyov
hgweb: add separate page with bookmarks listing
r13597 <li><a href="/bookmarks">bookmarks</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 <li><a href="/branches">branches</a></li>
</ul>
<ul>
av6
hgweb: don't dereference symbolic revision in paper & coal style (issue2296)...
r25606 <li><a href="/rev/tip">changeset</a></li>
<li><a href="/file/tip">browse</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </ul>
<ul>
av6
hgweb: don't dereference symbolic revision in paper & coal style (issue2296)...
r25606 <li><a href="/file/tip/a">file</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 <li><a href="/file/tip/a">latest</a></li>
<li class="active">diff</li>
av6
hgweb: don't dereference symbolic revision in paper & coal style (issue2296)...
r25606 <li><a href="/comparison/tip/a">comparison</a></li>
<li><a href="/annotate/tip/a">annotate</a></li>
<li><a href="/log/tip/a">file log</a></li>
<li><a href="/raw-file/tip/a">raw</a></li>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </ul>
Augie Fackler
hgweb: add help link to templates missed in ead4e21f49f1
r12680 <ul>
<li><a href="/help">help</a></li>
</ul>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </div>
<div class="main">
Bryan O'Sullivan
tests: update hgweb tests to include breadcrumbs
r18264 <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2>
av6
hgweb: link to revision by node hash in paper & coal...
r25617 <h3>
diff a @ 1:<a href="/rev/c78f6c5cbea9">c78f6c5cbea9</a>
<span class="tag">tip</span>
</h3>
Matt Mackall
tests: unify test-hgweb-removed
r12442
<form class="search" action="/log">
<p></p>
<p><input name="rev" id="search1" type="text" size="30" /></p>
Alexander Plavin
paper: edit search hint to include new feature description
r19796 <div id="hint">Find changesets by keywords (author, files, the commit message), revision
number or hash, or <a href="/help/revsets">revset expression</a>.</div>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </form>
<div class="description">del</div>
<table id="changesetEntry">
<tr>
<th>author</th>
<td>&#116;&#101;&#115;&#116;</td>
</tr>
<tr>
<th>date</th>
Brodie Rao
hgweb: fix dynamic date calculation not working under Safari...
r15375 <td class="date age">Thu, 01 Jan 1970 00:00:00 +0000</td>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </tr>
<tr>
<th>parents</th>
<td><a href="/file/cb9a9f314b8b/a">cb9a9f314b8b</a> </td>
</tr>
<tr>
<th>children</th>
<td></td>
</tr>
</table>
<div class="overflow">
Alexander Plavin
hgweb: add line wrapping switch to file diff and changeset views
r19433 <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div>
Alexander Plavin
hgweb: file diff and changesets views behave like file source view...
r19432 <div class="sourcefirst"> line diff</div>
<div class="stripes2 diffblocks">
<div class="bottomline inc-lineno"><pre class="sourcelines wrap">
<span id="l1.1" class="minusline">--- a/a Thu Jan 01 00:00:00 1970 +0000</span><a href="#l1.1"></a>
<span id="l1.2" class="plusline">+++ /dev/null Thu Jan 01 00:00:00 1970 +0000</span><a href="#l1.2"></a>
<span id="l1.3" class="atline">@@ -1,1 +0,0 @@</span><a href="#l1.3"></a>
<span id="l1.4" class="minusline">-a</span><a href="#l1.4"></a></pre></div>
</div>
Matt Mackall
tests: unify test-hgweb-removed
r12442 </div>
</div>
</div>
</body>
</html>
Mads Kiilerich
tests: add missing trailing 'cd ..'...
r16913
$ cd ..