upstream/mercurial-mirror Files · mercurial/hgweb/request.py

use untrusted settings in hgweb...

use untrusted settings in hgweb The only exceptions are web.static and web.templates, since they can be used to get any file that is readable by the user running the CGI script. Other options can be (ab)used to increase the use of the cpu (allow_bz2) or of the bandwidth (server.uncompressed), but they're trusted anyway.

Vadim Gelfer - - Load All Authors

File last commit:

r2859:345bac2b default


                r3555:88106400

default

Download file

             request.py
        
                    90 lines
            
             | 3.2 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / mercurial / hgweb / request.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Eric Hopper
    
Fixing up comment headers for split up code.

              r2391
            
      # hgweb/request.py - An http request from either CGI or the standalone server.

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
      #

      # Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>

        Vadim Gelfer
    
update copyrights.

              r2859
            
      # Copyright 2005, 2006 Matt Mackall <mpm@selenic.com>

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
      #

      # This software may be used and distributed according to the terms

      # of the GNU General Public License, incorporated herein by reference.

      from mercurial.demandload import demandload

        Benoit Boissinot
    
hgweb: fix errors and warnings found by pychecker...

              r2394
            
      demandload(globals(), "socket sys cgi os errno")

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
      from mercurial.i18n import gettext as _

        Eric Hopper
    
This patch make several WSGI related alterations....

              r2506
            
      class wsgiapplication(object):

          def __init__(self, destmaker):

              self.destmaker = destmaker

          def __call__(self, wsgienv, start_response):

              return _wsgirequest(self.destmaker(), wsgienv, start_response)

      class _wsgioutputfile(object):

          def __init__(self, request):

              self.request = request

          def write(self, data):

              self.request.write(data)

          def writelines(self, lines):

              for line in lines:

                  self.write(line)

          def flush(self):

              return None

          def close(self):

              return None

      class _wsgirequest(object):

          def __init__(self, destination, wsgienv, start_response):

              version = wsgienv['wsgi.version']

              if (version < (1,0)) or (version >= (2, 0)):

                  raise RuntimeError("Unknown and unsupported WSGI version %d.%d" \

                                     % version)

              self.inp = wsgienv['wsgi.input']

              self.out = _wsgioutputfile(self)

              self.server_write = None

              self.err = wsgienv['wsgi.errors']

              self.threaded = wsgienv['wsgi.multithread']

              self.multiprocess = wsgienv['wsgi.multiprocess']

              self.run_once = wsgienv['wsgi.run_once']

              self.env = wsgienv

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
              self.form = cgi.parse(self.inp, self.env, keep_blank_values=1)

        Eric Hopper
    
This patch make several WSGI related alterations....

              r2506
            
              self.start_response = start_response

              self.headers = []

        Eric Hopper
    
Arrange for old copies of CGI scripts to still work.

              r2535
            
              destination.run_wsgi(self)

        Eric Hopper
    
This patch make several WSGI related alterations....

              r2506
            
          def __iter__(self):

              return iter([])

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
        Vadim Gelfer
    
push over http: server support....

              r2464
            
          def read(self, count=-1):

              return self.inp.read(count)

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
          def write(self, *things):

              for thing in things:

                  if hasattr(thing, "__iter__"):

                      for part in thing:

                          self.write(part)

                  else:

        Eric Hopper
    
Really fix http headers for web UI and issue 254....

              r2514
            
                      thing = str(thing)

                      if self.server_write is None:

                          if not self.headers:

                              raise RuntimeError("request.write called before headers sent (%s)." % thing)

                          self.server_write = self.start_response('200 Script output follows',

                                                                  self.headers)

                          self.start_response = None

                          self.headers = None

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
                      try:

        Eric Hopper
    
Really fix http headers for web UI and issue 254....

              r2514
            
                          self.server_write(thing)

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
                      except socket.error, inst:

                          if inst[0] != errno.ECONNRESET:

                              raise

          def header(self, headers=[('Content-type','text/html')]):

        Eric Hopper
    
This patch make several WSGI related alterations....

              r2506
            
              self.headers.extend(headers)

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
        Vadim Gelfer
    
push over http: server side authorization support....

              r2466
            
          def httphdr(self, type, filename=None, length=0, headers={}):

              headers = headers.items()

              headers.append(('Content-type', type))

        Vadim Gelfer
    
http server: support persistent connections....

              r2434
            
              if filename:

                  headers.append(('Content-disposition', 'attachment; filename=%s' %

                                  filename))

              if length:

                  headers.append(('Content-length', str(length)))

        Eric Hopper
    
Splitting up hgweb so it's easier to change.

              r2355
            
              self.header(headers)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Eric Hopper Fixing up comment headers for split up code.	r2391	# hgweb/request.py - An http request from either CGI or the standalone server.
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	#
		# Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>
Vadim Gelfer update copyrights.	r2859	# Copyright 2005, 2006 Matt Mackall <mpm@selenic.com>
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	#
		# This software may be used and distributed according to the terms
		# of the GNU General Public License, incorporated herein by reference.

		from mercurial.demandload import demandload
Benoit Boissinot hgweb: fix errors and warnings found by pychecker...	r2394	demandload(globals(), "socket sys cgi os errno")
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	from mercurial.i18n import gettext as _

Eric Hopper This patch make several WSGI related alterations....	r2506	class wsgiapplication(object):
		def __init__(self, destmaker):
		self.destmaker = destmaker

		def __call__(self, wsgienv, start_response):
		return _wsgirequest(self.destmaker(), wsgienv, start_response)

		class _wsgioutputfile(object):
		def __init__(self, request):
		self.request = request

		def write(self, data):
		self.request.write(data)
		def writelines(self, lines):
		for line in lines:
		self.write(line)
		def flush(self):
		return None
		def close(self):
		return None

		class _wsgirequest(object):
		def __init__(self, destination, wsgienv, start_response):
		version = wsgienv['wsgi.version']
		if (version < (1,0)) or (version >= (2, 0)):
		raise RuntimeError("Unknown and unsupported WSGI version %d.%d" \
		% version)
		self.inp = wsgienv['wsgi.input']
		self.out = _wsgioutputfile(self)
		self.server_write = None
		self.err = wsgienv['wsgi.errors']
		self.threaded = wsgienv['wsgi.multithread']
		self.multiprocess = wsgienv['wsgi.multiprocess']
		self.run_once = wsgienv['wsgi.run_once']
		self.env = wsgienv
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	self.form = cgi.parse(self.inp, self.env, keep_blank_values=1)
Eric Hopper This patch make several WSGI related alterations....	r2506	self.start_response = start_response
		self.headers = []
Eric Hopper Arrange for old copies of CGI scripts to still work.	r2535	destination.run_wsgi(self)
Eric Hopper This patch make several WSGI related alterations....	r2506
		def __iter__(self):
		return iter([])
Eric Hopper Splitting up hgweb so it's easier to change.	r2355
Vadim Gelfer push over http: server support....	r2464	def read(self, count=-1):
		return self.inp.read(count)

Eric Hopper Splitting up hgweb so it's easier to change.	r2355	def write(self, *things):
		for thing in things:
		if hasattr(thing, "__iter__"):
		for part in thing:
		self.write(part)
		else:
Eric Hopper Really fix http headers for web UI and issue 254....	r2514	thing = str(thing)
		if self.server_write is None:
		if not self.headers:
		raise RuntimeError("request.write called before headers sent (%s)." % thing)
		self.server_write = self.start_response('200 Script output follows',
		self.headers)
		self.start_response = None
		self.headers = None
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	try:
Eric Hopper Really fix http headers for web UI and issue 254....	r2514	self.server_write(thing)
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	except socket.error, inst:
		if inst[0] != errno.ECONNRESET:
		raise

		def header(self, headers=[('Content-type','text/html')]):
Eric Hopper This patch make several WSGI related alterations....	r2506	self.headers.extend(headers)
Eric Hopper Splitting up hgweb so it's easier to change.	r2355
Vadim Gelfer push over http: server side authorization support....	r2466	def httphdr(self, type, filename=None, length=0, headers={}):
		headers = headers.items()
		headers.append(('Content-type', type))
Vadim Gelfer http server: support persistent connections....	r2434	if filename:
		headers.append(('Content-disposition', 'attachment; filename=%s' %
		filename))
		if length:
		headers.append(('Content-length', str(length)))
Eric Hopper Splitting up hgweb so it's easier to change.	r2355	self.header(headers)