Show More
| @@ -1,213 +1,214 b'' | |||||
| 1 | from __future__ import absolute_import |
|
1 | from __future__ import absolute_import | |
| 2 |
|
2 | |||
| 3 | import errno |
|
3 | import errno | |
| 4 | import os |
|
4 | import os | |
| 5 | import posixpath |
|
5 | import posixpath | |
| 6 | import stat |
|
6 | import stat | |
| 7 |
|
7 | |||
| 8 | from .i18n import _ |
|
8 | from .i18n import _ | |
| 9 | from . import ( |
|
9 | from . import ( | |
| 10 | encoding, |
|
10 | encoding, | |
| 11 | error, |
|
11 | error, | |
| 12 | util, |
|
12 | util, | |
| 13 | ) |
|
13 | ) | |
| 14 |
|
14 | |||
| 15 | def _lowerclean(s): |
|
15 | def _lowerclean(s): | |
| 16 | return encoding.hfsignoreclean(s.lower()) |
|
16 | return encoding.hfsignoreclean(s.lower()) | |
| 17 |
|
17 | |||
| 18 | class pathauditor(object): |
|
18 | class pathauditor(object): | |
| 19 | '''ensure that a filesystem path contains no banned components. |
|
19 | '''ensure that a filesystem path contains no banned components. | |
| 20 | the following properties of a path are checked: |
|
20 | the following properties of a path are checked: | |
| 21 |
|
21 | |||
| 22 | - ends with a directory separator |
|
22 | - ends with a directory separator | |
| 23 | - under top-level .hg |
|
23 | - under top-level .hg | |
| 24 | - starts at the root of a windows drive |
|
24 | - starts at the root of a windows drive | |
| 25 | - contains ".." |
|
25 | - contains ".." | |
| 26 |
|
26 | |||
| 27 | More check are also done about the file system states: |
|
27 | More check are also done about the file system states: | |
| 28 | - traverses a symlink (e.g. a/symlink_here/b) |
|
28 | - traverses a symlink (e.g. a/symlink_here/b) | |
| 29 | - inside a nested repository (a callback can be used to approve |
|
29 | - inside a nested repository (a callback can be used to approve | |
| 30 | some nested repositories, e.g., subrepositories) |
|
30 | some nested repositories, e.g., subrepositories) | |
| 31 |
|
31 | |||
| 32 | The file system checks are only done when 'realfs' is set to True (the |
|
32 | The file system checks are only done when 'realfs' is set to True (the | |
| 33 | default). They should be disable then we are auditing path for operation on |
|
33 | default). They should be disable then we are auditing path for operation on | |
| 34 | stored history. |
|
34 | stored history. | |
| 35 | ''' |
|
35 | ''' | |
| 36 |
|
36 | |||
| 37 | def __init__(self, root, callback=None, realfs=True): |
|
37 | def __init__(self, root, callback=None, realfs=True): | |
| 38 | self.audited = set() |
|
38 | self.audited = set() | |
| 39 | self.auditeddir = set() |
|
39 | self.auditeddir = set() | |
| 40 | self.root = root |
|
40 | self.root = root | |
| 41 | self._realfs = realfs |
|
41 | self._realfs = realfs | |
| 42 | self.callback = callback |
|
42 | self.callback = callback | |
| 43 | if os.path.lexists(root) and not util.checkcase(root): |
|
43 | if os.path.lexists(root) and not util.checkcase(root): | |
| 44 | self.normcase = util.normcase |
|
44 | self.normcase = util.normcase | |
| 45 | else: |
|
45 | else: | |
| 46 | self.normcase = lambda x: x |
|
46 | self.normcase = lambda x: x | |
| 47 |
|
47 | |||
| 48 | def __call__(self, path): |
|
48 | def __call__(self, path): | |
| 49 | '''Check the relative path. |
|
49 | '''Check the relative path. | |
| 50 | path may contain a pattern (e.g. foodir/**.txt)''' |
|
50 | path may contain a pattern (e.g. foodir/**.txt)''' | |
| 51 |
|
51 | |||
| 52 | path = util.localpath(path) |
|
52 | path = util.localpath(path) | |
| 53 | normpath = self.normcase(path) |
|
53 | normpath = self.normcase(path) | |
| 54 | if normpath in self.audited: |
|
54 | if normpath in self.audited: | |
| 55 | return |
|
55 | return | |
| 56 | # AIX ignores "/" at end of path, others raise EISDIR. |
|
56 | # AIX ignores "/" at end of path, others raise EISDIR. | |
| 57 | if util.endswithsep(path): |
|
57 | if util.endswithsep(path): | |
| 58 | raise error.Abort(_("path ends in directory separator: %s") % path) |
|
58 | raise error.Abort(_("path ends in directory separator: %s") % path) | |
| 59 | parts = util.splitpath(path) |
|
59 | parts = util.splitpath(path) | |
| 60 | if (os.path.splitdrive(path)[0] |
|
60 | if (os.path.splitdrive(path)[0] | |
| 61 | or _lowerclean(parts[0]) in ('.hg', '.hg.', '') |
|
61 | or _lowerclean(parts[0]) in ('.hg', '.hg.', '') | |
| 62 | or os.pardir in parts): |
|
62 | or os.pardir in parts): | |
| 63 | raise error.Abort(_("path contains illegal component: %s") % path) |
|
63 | raise error.Abort(_("path contains illegal component: %s") % path) | |
| 64 | # Windows shortname aliases |
|
64 | # Windows shortname aliases | |
| 65 | for p in parts: |
|
65 | for p in parts: | |
| 66 | if "~" in p: |
|
66 | if "~" in p: | |
| 67 | first, last = p.split("~", 1) |
|
67 | first, last = p.split("~", 1) | |
| 68 | if last.isdigit() and first.upper() in ["HG", "HG8B6C"]: |
|
68 | if last.isdigit() and first.upper() in ["HG", "HG8B6C"]: | |
| 69 | raise error.Abort(_("path contains illegal component: %s") |
|
69 | raise error.Abort(_("path contains illegal component: %s") | |
| 70 | % path) |
|
70 | % path) | |
| 71 | if '.hg' in _lowerclean(path): |
|
71 | if '.hg' in _lowerclean(path): | |
| 72 | lparts = [_lowerclean(p.lower()) for p in parts] |
|
72 | lparts = [_lowerclean(p.lower()) for p in parts] | |
| 73 | for p in '.hg', '.hg.': |
|
73 | for p in '.hg', '.hg.': | |
| 74 | if p in lparts[1:]: |
|
74 | if p in lparts[1:]: | |
| 75 | pos = lparts.index(p) |
|
75 | pos = lparts.index(p) | |
| 76 | base = os.path.join(*parts[:pos]) |
|
76 | base = os.path.join(*parts[:pos]) | |
| 77 | raise error.Abort(_("path '%s' is inside nested repo %r") |
|
77 | raise error.Abort(_("path '%s' is inside nested repo %r") | |
| 78 | % (path, base)) |
|
78 | % (path, base)) | |
| 79 |
|
79 | |||
| 80 | normparts = util.splitpath(normpath) |
|
80 | normparts = util.splitpath(normpath) | |
| 81 | assert len(parts) == len(normparts) |
|
81 | assert len(parts) == len(normparts) | |
| 82 |
|
82 | |||
| 83 | parts.pop() |
|
83 | parts.pop() | |
| 84 | normparts.pop() |
|
84 | normparts.pop() | |
| 85 | prefixes = [] |
|
85 | prefixes = [] | |
| 86 | while parts: |
|
86 | # It's important that we check the path parts starting from the root. | |
| 87 | prefix = os.sep.join(parts) |
|
87 | # This means we won't accidentaly traverse a symlink into some other | |
| 88 | normprefix = os.sep.join(normparts) |
|
88 | # filesystem (which is potentially expensive to access). | |
|
|
89 | for i in range(len(parts)): | |||
|
|
90 | prefix = os.sep.join(parts[:i + 1]) | |||
|
|
91 | normprefix = os.sep.join(normparts[:i + 1]) | |||
| 89 | if normprefix in self.auditeddir: |
|
92 | if normprefix in self.auditeddir: | |
| 90 |
|
|
93 | continue | |
| 91 | if self._realfs: |
|
94 | if self._realfs: | |
| 92 | self._checkfs(prefix, path) |
|
95 | self._checkfs(prefix, path) | |
| 93 | prefixes.append(normprefix) |
|
96 | prefixes.append(normprefix) | |
| 94 | parts.pop() |
|
|||
| 95 | normparts.pop() |
|
|||
| 96 |
|
97 | |||
| 97 | self.audited.add(normpath) |
|
98 | self.audited.add(normpath) | |
| 98 | # only add prefixes to the cache after checking everything: we don't |
|
99 | # only add prefixes to the cache after checking everything: we don't | |
| 99 | # want to add "foo/bar/baz" before checking if there's a "foo/.hg" |
|
100 | # want to add "foo/bar/baz" before checking if there's a "foo/.hg" | |
| 100 | self.auditeddir.update(prefixes) |
|
101 | self.auditeddir.update(prefixes) | |
| 101 |
|
102 | |||
| 102 | def _checkfs(self, prefix, path): |
|
103 | def _checkfs(self, prefix, path): | |
| 103 | """raise exception if a file system backed check fails""" |
|
104 | """raise exception if a file system backed check fails""" | |
| 104 | curpath = os.path.join(self.root, prefix) |
|
105 | curpath = os.path.join(self.root, prefix) | |
| 105 | try: |
|
106 | try: | |
| 106 | st = os.lstat(curpath) |
|
107 | st = os.lstat(curpath) | |
| 107 | except OSError as err: |
|
108 | except OSError as err: | |
| 108 | # EINVAL can be raised as invalid path syntax under win32. |
|
109 | # EINVAL can be raised as invalid path syntax under win32. | |
| 109 | # They must be ignored for patterns can be checked too. |
|
110 | # They must be ignored for patterns can be checked too. | |
| 110 | if err.errno not in (errno.ENOENT, errno.ENOTDIR, errno.EINVAL): |
|
111 | if err.errno not in (errno.ENOENT, errno.ENOTDIR, errno.EINVAL): | |
| 111 | raise |
|
112 | raise | |
| 112 | else: |
|
113 | else: | |
| 113 | if stat.S_ISLNK(st.st_mode): |
|
114 | if stat.S_ISLNK(st.st_mode): | |
| 114 | msg = _('path %r traverses symbolic link %r') % (path, prefix) |
|
115 | msg = _('path %r traverses symbolic link %r') % (path, prefix) | |
| 115 | raise error.Abort(msg) |
|
116 | raise error.Abort(msg) | |
| 116 | elif (stat.S_ISDIR(st.st_mode) and |
|
117 | elif (stat.S_ISDIR(st.st_mode) and | |
| 117 | os.path.isdir(os.path.join(curpath, '.hg'))): |
|
118 | os.path.isdir(os.path.join(curpath, '.hg'))): | |
| 118 | if not self.callback or not self.callback(curpath): |
|
119 | if not self.callback or not self.callback(curpath): | |
| 119 | msg = _("path '%s' is inside nested repo %r") |
|
120 | msg = _("path '%s' is inside nested repo %r") | |
| 120 | raise error.Abort(msg % (path, prefix)) |
|
121 | raise error.Abort(msg % (path, prefix)) | |
| 121 |
|
122 | |||
| 122 | def check(self, path): |
|
123 | def check(self, path): | |
| 123 | try: |
|
124 | try: | |
| 124 | self(path) |
|
125 | self(path) | |
| 125 | return True |
|
126 | return True | |
| 126 | except (OSError, error.Abort): |
|
127 | except (OSError, error.Abort): | |
| 127 | return False |
|
128 | return False | |
| 128 |
|
129 | |||
| 129 | def canonpath(root, cwd, myname, auditor=None): |
|
130 | def canonpath(root, cwd, myname, auditor=None): | |
| 130 | '''return the canonical path of myname, given cwd and root''' |
|
131 | '''return the canonical path of myname, given cwd and root''' | |
| 131 | if util.endswithsep(root): |
|
132 | if util.endswithsep(root): | |
| 132 | rootsep = root |
|
133 | rootsep = root | |
| 133 | else: |
|
134 | else: | |
| 134 | rootsep = root + os.sep |
|
135 | rootsep = root + os.sep | |
| 135 | name = myname |
|
136 | name = myname | |
| 136 | if not os.path.isabs(name): |
|
137 | if not os.path.isabs(name): | |
| 137 | name = os.path.join(root, cwd, name) |
|
138 | name = os.path.join(root, cwd, name) | |
| 138 | name = os.path.normpath(name) |
|
139 | name = os.path.normpath(name) | |
| 139 | if auditor is None: |
|
140 | if auditor is None: | |
| 140 | auditor = pathauditor(root) |
|
141 | auditor = pathauditor(root) | |
| 141 | if name != rootsep and name.startswith(rootsep): |
|
142 | if name != rootsep and name.startswith(rootsep): | |
| 142 | name = name[len(rootsep):] |
|
143 | name = name[len(rootsep):] | |
| 143 | auditor(name) |
|
144 | auditor(name) | |
| 144 | return util.pconvert(name) |
|
145 | return util.pconvert(name) | |
| 145 | elif name == root: |
|
146 | elif name == root: | |
| 146 | return '' |
|
147 | return '' | |
| 147 | else: |
|
148 | else: | |
| 148 | # Determine whether `name' is in the hierarchy at or beneath `root', |
|
149 | # Determine whether `name' is in the hierarchy at or beneath `root', | |
| 149 | # by iterating name=dirname(name) until that causes no change (can't |
|
150 | # by iterating name=dirname(name) until that causes no change (can't | |
| 150 | # check name == '/', because that doesn't work on windows). The list |
|
151 | # check name == '/', because that doesn't work on windows). The list | |
| 151 | # `rel' holds the reversed list of components making up the relative |
|
152 | # `rel' holds the reversed list of components making up the relative | |
| 152 | # file name we want. |
|
153 | # file name we want. | |
| 153 | rel = [] |
|
154 | rel = [] | |
| 154 | while True: |
|
155 | while True: | |
| 155 | try: |
|
156 | try: | |
| 156 | s = util.samefile(name, root) |
|
157 | s = util.samefile(name, root) | |
| 157 | except OSError: |
|
158 | except OSError: | |
| 158 | s = False |
|
159 | s = False | |
| 159 | if s: |
|
160 | if s: | |
| 160 | if not rel: |
|
161 | if not rel: | |
| 161 | # name was actually the same as root (maybe a symlink) |
|
162 | # name was actually the same as root (maybe a symlink) | |
| 162 | return '' |
|
163 | return '' | |
| 163 | rel.reverse() |
|
164 | rel.reverse() | |
| 164 | name = os.path.join(*rel) |
|
165 | name = os.path.join(*rel) | |
| 165 | auditor(name) |
|
166 | auditor(name) | |
| 166 | return util.pconvert(name) |
|
167 | return util.pconvert(name) | |
| 167 | dirname, basename = util.split(name) |
|
168 | dirname, basename = util.split(name) | |
| 168 | rel.append(basename) |
|
169 | rel.append(basename) | |
| 169 | if dirname == name: |
|
170 | if dirname == name: | |
| 170 | break |
|
171 | break | |
| 171 | name = dirname |
|
172 | name = dirname | |
| 172 |
|
173 | |||
| 173 | # A common mistake is to use -R, but specify a file relative to the repo |
|
174 | # A common mistake is to use -R, but specify a file relative to the repo | |
| 174 | # instead of cwd. Detect that case, and provide a hint to the user. |
|
175 | # instead of cwd. Detect that case, and provide a hint to the user. | |
| 175 | hint = None |
|
176 | hint = None | |
| 176 | try: |
|
177 | try: | |
| 177 | if cwd != root: |
|
178 | if cwd != root: | |
| 178 | canonpath(root, root, myname, auditor) |
|
179 | canonpath(root, root, myname, auditor) | |
| 179 | hint = (_("consider using '--cwd %s'") |
|
180 | hint = (_("consider using '--cwd %s'") | |
| 180 | % os.path.relpath(root, cwd)) |
|
181 | % os.path.relpath(root, cwd)) | |
| 181 | except error.Abort: |
|
182 | except error.Abort: | |
| 182 | pass |
|
183 | pass | |
| 183 |
|
184 | |||
| 184 | raise error.Abort(_("%s not under root '%s'") % (myname, root), |
|
185 | raise error.Abort(_("%s not under root '%s'") % (myname, root), | |
| 185 | hint=hint) |
|
186 | hint=hint) | |
| 186 |
|
187 | |||
| 187 | def normasprefix(path): |
|
188 | def normasprefix(path): | |
| 188 | '''normalize the specified path as path prefix |
|
189 | '''normalize the specified path as path prefix | |
| 189 |
|
190 | |||
| 190 | Returned value can be used safely for "p.startswith(prefix)", |
|
191 | Returned value can be used safely for "p.startswith(prefix)", | |
| 191 | "p[len(prefix):]", and so on. |
|
192 | "p[len(prefix):]", and so on. | |
| 192 |
|
193 | |||
| 193 | For efficiency, this expects "path" argument to be already |
|
194 | For efficiency, this expects "path" argument to be already | |
| 194 | normalized by "os.path.normpath", "os.path.realpath", and so on. |
|
195 | normalized by "os.path.normpath", "os.path.realpath", and so on. | |
| 195 |
|
196 | |||
| 196 | See also issue3033 for detail about need of this function. |
|
197 | See also issue3033 for detail about need of this function. | |
| 197 |
|
198 | |||
| 198 | >>> normasprefix('/foo/bar').replace(os.sep, '/') |
|
199 | >>> normasprefix('/foo/bar').replace(os.sep, '/') | |
| 199 | '/foo/bar/' |
|
200 | '/foo/bar/' | |
| 200 | >>> normasprefix('/').replace(os.sep, '/') |
|
201 | >>> normasprefix('/').replace(os.sep, '/') | |
| 201 | '/' |
|
202 | '/' | |
| 202 | ''' |
|
203 | ''' | |
| 203 | d, p = os.path.splitdrive(path) |
|
204 | d, p = os.path.splitdrive(path) | |
| 204 | if len(p) != len(os.sep): |
|
205 | if len(p) != len(os.sep): | |
| 205 | return path + os.sep |
|
206 | return path + os.sep | |
| 206 | else: |
|
207 | else: | |
| 207 | return path |
|
208 | return path | |
| 208 |
|
209 | |||
| 209 | # forward two methods from posixpath that do what we need, but we'd |
|
210 | # forward two methods from posixpath that do what we need, but we'd | |
| 210 | # rather not let our internals know that we're thinking in posix terms |
|
211 | # rather not let our internals know that we're thinking in posix terms | |
| 211 | # - instead we'll let them be oblivious. |
|
212 | # - instead we'll let them be oblivious. | |
| 212 | join = posixpath.join |
|
213 | join = posixpath.join | |
| 213 | dirname = posixpath.dirname |
|
214 | dirname = posixpath.dirname | |
General Comments 0
You need to be logged in to leave comments.
Login now