# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 2017-01-20 12:33:18
# Node ID 41e31a6f5296f1516456caca514fa3ff88e3bc42
# Parent  763031a7690db0709bfbf21ad35123d9e03dcd11

revset: prevent using outgoing() and remote() in hgweb session (BC)

outgoing() and remote() may stall for long due to network I/O, which seems
unsafe per definition, "whether a predicate is safe for DoS attack." But I'm
not 100% sure about this. If our concern isn't elapsed time but CPU resource,
these predicates are considered safe. Perhaps that would be up to the
web/application server configuration?

Anyway, outgoing() and remote() wouldn't be useful in hgweb, so I think
it's okay to ban them.

diff --git a/mercurial/revset.py b/mercurial/revset.py
--- a/mercurial/revset.py
+++ b/mercurial/revset.py
@@ -1546,7 +1546,7 @@ def origin(repo, subset, x):
     # some optimizations from the fact this is a baseset.
     return subset & o
 
-@predicate('outgoing([path])', safe=True)
+@predicate('outgoing([path])', safe=False)
 def outgoing(repo, subset, x):
     """Changesets not found in the specified destination repository, or the
     default push location.
@@ -1737,7 +1737,7 @@ def public(repo, subset, x):
     return subset.filter(condition, condrepr=('<phase %r>', target),
                          cache=False)
 
-@predicate('remote([id [,path]])', safe=True)
+@predicate('remote([id [,path]])', safe=False)
 def remote(repo, subset, x):
     """Local revision that corresponds to the given identifier in a
     remote repository, if present. Here, the '.' identifier is a