# HG changeset patch
# User Matt Harbison <matt_harbison@yahoo.com>
# Date 2018-04-01 03:58:08
# Node ID 9640ccf44ac0b8b9c1407e8e74a16fb2ea4b5120
# Parent  fe061e47a2cf2d40836cb993afd4e35e92d9246f

lfs: ensure the transfer request is for a known URI

Since the dispatching code only checks the beginning of the string, this
enforces that there's only one more path component.

diff --git a/hgext/lfs/wireprotolfsserver.py b/hgext/lfs/wireprotolfsserver.py
--- a/hgext/lfs/wireprotolfsserver.py
+++ b/hgext/lfs/wireprotolfsserver.py
@@ -22,6 +22,7 @@ from mercurial import (
 HTTP_OK = hgwebcommon.HTTP_OK
 HTTP_CREATED = hgwebcommon.HTTP_CREATED
 HTTP_BAD_REQUEST = hgwebcommon.HTTP_BAD_REQUEST
+HTTP_NOT_FOUND = hgwebcommon.HTTP_NOT_FOUND
 
 def handlewsgirequest(orig, rctx, req, res, checkperm):
     """Wrap wireprotoserver.handlewsgirequest() to possibly process an LFS
@@ -244,6 +245,10 @@ def _processbasictransfer(repo, req, res
     oid = req.dispatchparts[-1]
     localstore = repo.svfs.lfslocalblobstore
 
+    if len(req.dispatchparts) != 4:
+        _sethttperror(res, HTTP_NOT_FOUND)
+        return True
+
     if method == b'PUT':
         checkperm('upload')