# HG changeset patch # User Yuya Nishihara # Date 2018-08-26 13:18:09 # Node ID 15e8250a82da9cda2f0526e34ee27047660066f6 # Parent 17ca967e9fca1f5e56232b335dc62cf86207f41e hgweb: do not audit URL path as working-directory path Since hgweb is an interface to repository data, we don't need to prohibit any paths conflicting within the filesystem. Still an access to working files is audited by filectx. diff --git a/mercurial/hgweb/webutil.py b/mercurial/hgweb/webutil.py --- a/mercurial/hgweb/webutil.py +++ b/mercurial/hgweb/webutil.py @@ -320,7 +320,8 @@ def branchentries(repo, stripecount, lim def cleanpath(repo, path): path = path.lstrip('/') - return pathutil.canonpath(repo.root, '', path) + auditor = pathutil.pathauditor(repo.root, realfs=False) + return pathutil.canonpath(repo.root, '', path, auditor=auditor) def changectx(repo, req): changeid = "tip" diff --git a/tests/test-hgwebdir.t b/tests/test-hgwebdir.t --- a/tests/test-hgwebdir.t +++ b/tests/test-hgwebdir.t @@ -1231,14 +1231,15 @@ Test subrepositories inside intermediate f2 -Test accessing file that is shadowed by another repository +Test accessing file that could be shadowed by another repository if the URL +path were audited as a working-directory path: $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw' - 403 Forbidden - + 200 Script output follows - error: path 'f3/file' is inside nested repo 'f3' - [1] + f3/file + +Test accessing working-directory file that is shadowed by another repository $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw' 403 Forbidden