upstream/mercurial-mirror Commit - r1646:8e9c2039

Clean up paths passed to hgweb...

Matt Mackall -

r1646:8e9c2039 default

parent child

mercurial/hgweb.py

0 +16 -5

                 # find tag, changeset, file
                 def run(self, req=hgrequest()):
+                    def clean(path):
+                        p = os.path.normpath(path)
+                        if p[:2] == "..":
+                            raise "suspicious path"
+                        return p
                     def header(**map):
                         yield self.t("header", **map)
                         req.write(self.changeset(req.form['node'][0]))
                     elif req.form['cmd'][0] == 'manifest':
-                        req.write(self.manifest(req.form['manifest'][0], req.form['path'][0]))
+                        req.write(self.manifest(req.form['manifest'][0],
+                                                clean(req.form['path'][0])))
                     elif req.form['cmd'][0] == 'tags':
                         req.write(self.tags())
                         req.write(self.summary())
                     elif req.form['cmd'][0] == 'filediff':
-                        req.write(self.filediff(req.form['file'][0], req.form['node'][0]))
+                        req.write(self.filediff(clean(req.form['file'][0]),
+                                                req.form['node'][0]))
                     elif req.form['cmd'][0] == 'file':
-                        req.write(self.filerevision(req.form['file'][0], req.form['filenode'][0]))
+                        req.write(self.filerevision(clean(req.form['file'][0]),
+                                                    req.form['filenode'][0]))
                     elif req.form['cmd'][0] == 'annotate':
-                        req.write(self.fileannotate(req.form['file'][0], req.form['filenode'][0]))
+                        req.write(self.fileannotate(clean(req.form['file'][0]),
+                                                    req.form['filenode'][0]))
                     elif req.form['cmd'][0] == 'filelog':
-                        req.write(self.filelog(req.form['file'][0], req.form['filenode'][0]))
+                        req.write(self.filelog(clean(req.form['file'][0]),
+                                               req.form['filenode'][0]))
                     elif req.form['cmd'][0] == 'heads':
                         req.httphdr("application/mercurial-0.1")

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages