##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
Augie Fackler -
r32050:77eaf953 4.1.3 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -32,7 +32,7 b' command="hg-ssh --read-only repos/*"'
32 32 # enable importing on demand to reduce startup time
33 33 from mercurial import demandimport; demandimport.enable()
34 34
35 from mercurial import dispatch
35 from mercurial import dispatch, ui as uimod
36 36
37 37 import sys, os, shlex
38 38
@@ -61,14 +61,15 b' def main():'
61 61 repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
62 62 if repo in allowed_paths:
63 63 cmd = ['-R', repo, 'serve', '--stdio']
64 req = dispatch.request(cmd)
64 65 if readonly:
65 cmd += [
66 '--config',
67 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
68 '--config',
69 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
70 ]
71 dispatch.dispatch(dispatch.request(cmd))
66 if not req.ui:
67 req.ui = uimod.ui.load()
68 req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
69 'python:__main__.rejectpush', 'hg-ssh')
70 req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
71 'python:__main__.rejectpush', 'hg-ssh')
72 dispatch.dispatch(req)
72 73 else:
73 74 sys.stderr.write('Illegal repository "%s"\n' % repo)
74 75 sys.exit(255)
Show file before | Show file after | Hide comments
@@ -155,6 +155,37 b' def _runcatch(req):'
155 155 pass # happens if called in a thread
156 156
157 157 def _runcatchfunc():
158 realcmd = None
159 try:
160 cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
161 cmd = cmdargs[0]
162 aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
163 realcmd = aliases[0]
164 except (error.UnknownCommand, error.AmbiguousCommand,
165 IndexError, getopt.GetoptError):
166 # Don't handle this here. We know the command is
167 # invalid, but all we're worried about for now is that
168 # it's not a command that server operators expect to
169 # be safe to offer to users in a sandbox.
170 pass
171 if realcmd == 'serve' and '--stdio' in cmdargs:
172 # We want to constrain 'hg serve --stdio' instances pretty
173 # closely, as many shared-ssh access tools want to grant
174 # access to run *only* 'hg -R $repo serve --stdio'. We
175 # restrict to exactly that set of arguments, and prohibit
176 # any repo name that starts with '--' to prevent
177 # shenanigans wherein a user does something like pass
178 # --debugger or --config=ui.debugger=1 as a repo
179 # name. This used to actually run the debugger.
180 if (len(req.args) != 4 or
181 req.args[0] != '-R' or
182 req.args[1].startswith('--') or
183 req.args[2] != 'serve' or
184 req.args[3] != '--stdio'):
185 raise error.Abort(
186 _('potentially unsafe serve --stdio invocation: %r') %
187 (req.args,))
188
158 189 try:
159 190 debugger = 'pdb'
160 191 debugtrace = {
Show file before | Show file after | Hide comments
@@ -357,6 +357,19 b' Test (non-)escaping of remote paths with'
357 357 abort: destination 'a repo' is not empty
358 358 [255]
359 359
360 Make sure hg is really paranoid in serve --stdio mode. It used to be
361 possible to get a debugger REPL by specifying a repo named --debugger.
362 $ hg -R --debugger serve --stdio
363 abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
364 [255]
365 $ hg -R --config=ui.debugger=yes serve --stdio
366 abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
367 [255]
368 Abbreviations of 'serve' also don't work, to avoid shenanigans.
369 $ hg -R narf serv --stdio
370 abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
371 [255]
372
360 373 Test hg-ssh using a helper script that will restore PYTHONPATH (which might
361 374 have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
362 375 parameters:
General Comments 0
You need to be logged in to leave comments. Login now