Show More
| @@ -32,7 +32,7 b' command="hg-ssh --read-only repos/*"' | |||||
| 32 | # enable importing on demand to reduce startup time |
|
32 | # enable importing on demand to reduce startup time | |
| 33 | from mercurial import demandimport; demandimport.enable() |
|
33 | from mercurial import demandimport; demandimport.enable() | |
| 34 |
|
34 | |||
| 35 | from mercurial import dispatch |
|
35 | from mercurial import dispatch, ui as uimod | |
| 36 |
|
36 | |||
| 37 | import sys, os, shlex |
|
37 | import sys, os, shlex | |
| 38 |
|
38 | |||
| @@ -61,14 +61,15 b' def main():' | |||||
| 61 | repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) |
|
61 | repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) | |
| 62 | if repo in allowed_paths: |
|
62 | if repo in allowed_paths: | |
| 63 | cmd = ['-R', repo, 'serve', '--stdio'] |
|
63 | cmd = ['-R', repo, 'serve', '--stdio'] | |
|
|
64 | req = dispatch.request(cmd) | |||
| 64 | if readonly: |
|
65 | if readonly: | |
| 65 |
|
|
66 | if not req.ui: | |
| 66 | '--config', |
|
67 | req.ui = uimod.ui.load() | |
| 67 |
|
|
68 | req.ui.setconfig('hooks', 'pretxnopen.hg-ssh', | |
| 68 | '--config', |
|
69 | 'python:__main__.rejectpush', 'hg-ssh') | |
| 69 | 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush' |
|
70 | req.ui.setconfig('hooks', 'prepushkey.hg-ssh', | |
| 70 | ] |
|
71 | 'python:__main__.rejectpush', 'hg-ssh') | |
| 71 |
dispatch.dispatch( |
|
72 | dispatch.dispatch(req) | |
| 72 | else: |
|
73 | else: | |
| 73 | sys.stderr.write('Illegal repository "%s"\n' % repo) |
|
74 | sys.stderr.write('Illegal repository "%s"\n' % repo) | |
| 74 | sys.exit(255) |
|
75 | sys.exit(255) | |
| @@ -155,6 +155,37 b' def _runcatch(req):' | |||||
| 155 | pass # happens if called in a thread |
|
155 | pass # happens if called in a thread | |
| 156 |
|
156 | |||
| 157 | def _runcatchfunc(): |
|
157 | def _runcatchfunc(): | |
|
|
158 | realcmd = None | |||
|
|
159 | try: | |||
|
|
160 | cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {}) | |||
|
|
161 | cmd = cmdargs[0] | |||
|
|
162 | aliases, entry = cmdutil.findcmd(cmd, commands.table, False) | |||
|
|
163 | realcmd = aliases[0] | |||
|
|
164 | except (error.UnknownCommand, error.AmbiguousCommand, | |||
|
|
165 | IndexError, getopt.GetoptError): | |||
|
|
166 | # Don't handle this here. We know the command is | |||
|
|
167 | # invalid, but all we're worried about for now is that | |||
|
|
168 | # it's not a command that server operators expect to | |||
|
|
169 | # be safe to offer to users in a sandbox. | |||
|
|
170 | pass | |||
|
|
171 | if realcmd == 'serve' and '--stdio' in cmdargs: | |||
|
|
172 | # We want to constrain 'hg serve --stdio' instances pretty | |||
|
|
173 | # closely, as many shared-ssh access tools want to grant | |||
|
|
174 | # access to run *only* 'hg -R $repo serve --stdio'. We | |||
|
|
175 | # restrict to exactly that set of arguments, and prohibit | |||
|
|
176 | # any repo name that starts with '--' to prevent | |||
|
|
177 | # shenanigans wherein a user does something like pass | |||
|
|
178 | # --debugger or --config=ui.debugger=1 as a repo | |||
|
|
179 | # name. This used to actually run the debugger. | |||
|
|
180 | if (len(req.args) != 4 or | |||
|
|
181 | req.args[0] != '-R' or | |||
|
|
182 | req.args[1].startswith('--') or | |||
|
|
183 | req.args[2] != 'serve' or | |||
|
|
184 | req.args[3] != '--stdio'): | |||
|
|
185 | raise error.Abort( | |||
|
|
186 | _('potentially unsafe serve --stdio invocation: %r') % | |||
|
|
187 | (req.args,)) | |||
|
|
188 | ||||
| 158 | try: |
|
189 | try: | |
| 159 | debugger = 'pdb' |
|
190 | debugger = 'pdb' | |
| 160 | debugtrace = { |
|
191 | debugtrace = { | |
| @@ -357,6 +357,19 b' Test (non-)escaping of remote paths with' | |||||
| 357 | abort: destination 'a repo' is not empty |
|
357 | abort: destination 'a repo' is not empty | |
| 358 | [255] |
|
358 | [255] | |
| 359 |
|
359 | |||
|
|
360 | Make sure hg is really paranoid in serve --stdio mode. It used to be | |||
|
|
361 | possible to get a debugger REPL by specifying a repo named --debugger. | |||
|
|
362 | $ hg -R --debugger serve --stdio | |||
|
|
363 | abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio'] | |||
|
|
364 | [255] | |||
|
|
365 | $ hg -R --config=ui.debugger=yes serve --stdio | |||
|
|
366 | abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio'] | |||
|
|
367 | [255] | |||
|
|
368 | Abbreviations of 'serve' also don't work, to avoid shenanigans. | |||
|
|
369 | $ hg -R narf serv --stdio | |||
|
|
370 | abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio'] | |||
|
|
371 | [255] | |||
|
|
372 | ||||
| 360 | Test hg-ssh using a helper script that will restore PYTHONPATH (which might |
|
373 | Test hg-ssh using a helper script that will restore PYTHONPATH (which might | |
| 361 | have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right |
|
374 | have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right | |
| 362 | parameters: |
|
375 | parameters: | |
General Comments 0
You need to be logged in to leave comments.
Login now