Show More
| @@ -7,6 +7,7 b'' | |||
|
|
7 | 7 | # of the GNU General Public License, incorporated herein by reference. |
|
|
8 | 8 | |
|
|
9 | 9 | import os, cgi, sys, urllib |
|
|
10 | import mimetypes | |
|
|
10 | 11 | from demandload import demandload |
|
|
11 | 12 | demandload(globals(), "mdiff time re socket zlib errno ui hg ConfigParser") |
|
|
12 | 13 | demandload(globals(), "zipfile tempfile StringIO tarfile BaseHTTPServer util") |
| @@ -843,6 +844,7 b' class hgweb(object):' | |||
|
|
843 | 844 | 'ca': [('cmd', ['archive']), ('node', None)], |
|
|
844 | 845 | 'tags': [('cmd', ['tags'])], |
|
|
845 | 846 | 'tip': [('cmd', ['changeset']), ('node', ['tip'])], |
|
|
847 | 'static': [('cmd', ['static']), ('file', None)] | |
|
|
846 | 848 | } |
|
|
847 | 849 | |
|
|
848 | 850 | for k in shortcuts.iterkeys(): |
| @@ -858,6 +860,7 b' class hgweb(object):' | |||
|
|
858 | 860 | expand_form(req.form) |
|
|
859 | 861 | |
|
|
860 | 862 | t = self.repo.ui.config("web", "templates", templatepath()) |
|
|
863 | static = self.repo.ui.config("web", "static", os.path.join(t,"static")) | |
|
|
861 | 864 | m = os.path.join(t, "map") |
|
|
862 | 865 | style = self.repo.ui.config("web", "style", "") |
|
|
863 | 866 | if req.form.has_key('style'): |
| @@ -981,6 +984,38 b' class hgweb(object):' | |||
|
|
981 | 984 | |
|
|
982 | 985 | req.write(self.t("error")) |
|
|
983 | 986 | |
|
|
987 | elif req.form['cmd'][0] == 'static': | |
|
|
988 | fname = req.form['file'][0] | |
|
|
989 | ||
|
|
990 | fname = os.path.realpath(os.path.join(static, fname)) | |
|
|
991 | ||
|
|
992 | try: | |
|
|
993 | # the static dir should be a substring in the real | |
|
|
994 | # file path, if it is not, we have something strange | |
|
|
995 | # going on => security breach attempt? | |
|
|
996 | # | |
|
|
997 | # This will either: | |
|
|
998 | # 1) find the `static' path at index 0 = success | |
|
|
999 | # 2) find the `static' path at other index = error | |
|
|
1000 | # 3) not find the `static' path = ValueError generated | |
|
|
1001 | if fname.index(static) != 0: | |
|
|
1002 | # generate ValueError manually | |
|
|
1003 | raise ValueError() | |
|
|
1004 | ||
|
|
1005 | os.stat(fname) | |
|
|
1006 | ||
|
|
1007 | ct = mimetypes.guess_type(fname)[0] | |
|
|
1008 | if ct == None: | |
|
|
1009 | ct = "text/plain" | |
|
|
1010 | ||
|
|
1011 | req.write("Content-type: " + ct + "\n\n" + file(fname).read()) | |
|
|
1012 | except ValueError: | |
|
|
1013 | # security breach attempt | |
|
|
1014 | req.write(self.t("error")) | |
|
|
1015 | except OSError, e: | |
|
|
1016 | if e.errno == errno.ENOENT: | |
|
|
1017 | req.write(self.t("error")) | |
|
|
1018 | ||
|
|
984 | 1019 | else: |
|
|
985 | 1020 | req.write(self.t("error")) |
|
|
986 | 1021 | |
| @@ -89,7 +89,9 b' try:' | |||
|
|
89 | 89 | data_files=[('mercurial/templates', |
|
|
90 | 90 | ['templates/map'] + |
|
|
91 | 91 | glob.glob('templates/map-*') + |
|
|
92 |
glob.glob('templates/*.tmpl')) |
|
|
|
92 | glob.glob('templates/*.tmpl')), | |
|
|
93 | ('mercurial/templates/static', | |
|
|
94 | glob.glob('templates/static/*'))], | |
|
|
93 | 95 | cmdclass=cmdclass, |
|
|
94 | 96 | scripts=['hg', 'hgmerge'], |
|
|
95 | 97 | options=dict(bdist_mpkg=dict(zipdist=True, |
General Comments 0
You need to be logged in to leave comments.
Login now