##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

use untrusted settings in hgwebdir
Alexis S. L. Carvalho -
r3556:c3043ebe default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,209 +1,211 b''
1 1 # hgweb/hgwebdir_mod.py - Web interface for a directory of repositories.
2 2 #
3 3 # Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>
4 4 # Copyright 2005, 2006 Matt Mackall <mpm@selenic.com>
5 5 #
6 6 # This software may be used and distributed according to the terms
7 7 # of the GNU General Public License, incorporated herein by reference.
8 8
9 9 import os
10 10 from mercurial.demandload import demandload
11 11 demandload(globals(), "mimetools cStringIO")
12 12 demandload(globals(), "mercurial:ui,hg,util,templater")
13 13 demandload(globals(), "mercurial.hgweb.hgweb_mod:hgweb")
14 14 demandload(globals(), "mercurial.hgweb.common:get_mtime,staticfile,style_map")
15 15 from mercurial.i18n import gettext as _
16 16
17 17 # This is a stopgap
18 18 class hgwebdir(object):
19 19 def __init__(self, config):
20 20 def cleannames(items):
21 21 return [(name.strip(os.sep), path) for name, path in items]
22 22
23 23 self.motd = ""
24 24 self.style = ""
25 25 self.repos_sorted = ('name', False)
26 26 if isinstance(config, (list, tuple)):
27 27 self.repos = cleannames(config)
28 28 self.repos_sorted = ('', False)
29 29 elif isinstance(config, dict):
30 30 self.repos = cleannames(config.items())
31 31 self.repos.sort()
32 32 else:
33 33 cp = util.configparser()
34 34 cp.read(config)
35 35 self.repos = []
36 36 if cp.has_section('web'):
37 37 if cp.has_option('web', 'motd'):
38 38 self.motd = cp.get('web', 'motd')
39 39 if cp.has_option('web', 'style'):
40 40 self.style = cp.get('web', 'style')
41 41 if cp.has_section('paths'):
42 42 self.repos.extend(cleannames(cp.items('paths')))
43 43 if cp.has_section('collections'):
44 44 for prefix, root in cp.items('collections'):
45 45 for path in util.walkrepos(root):
46 46 repo = os.path.normpath(path)
47 47 name = repo
48 48 if name.startswith(prefix):
49 49 name = name[len(prefix):]
50 50 self.repos.append((name.lstrip(os.sep), repo))
51 51 self.repos.sort()
52 52
53 53 def run(self):
54 54 if not os.environ.get('GATEWAY_INTERFACE', '').startswith("CGI/1."):
55 55 raise RuntimeError("This function is only intended to be called while running as a CGI script.")
56 56 import mercurial.hgweb.wsgicgi as wsgicgi
57 57 from request import wsgiapplication
58 58 def make_web_app():
59 59 return self
60 60 wsgicgi.launch(wsgiapplication(make_web_app))
61 61
62 62 def run_wsgi(self, req):
63 63 def header(**map):
64 64 header_file = cStringIO.StringIO(''.join(tmpl("header", **map)))
65 65 msg = mimetools.Message(header_file, 0)
66 66 req.header(msg.items())
67 67 yield header_file.read()
68 68
69 69 def footer(**map):
70 70 yield tmpl("footer", **map)
71 71
72 72 def motd(**map):
73 73 yield self.motd
74 74
75 75 url = req.env['REQUEST_URI'].split('?')[0]
76 76 if not url.endswith('/'):
77 77 url += '/'
78 78
79 79 style = self.style
80 80 if req.form.has_key('style'):
81 81 style = req.form['style'][0]
82 82 mapfile = style_map(templater.templatepath(), style)
83 83 tmpl = templater.templater(mapfile, templater.common_filters,
84 84 defaults={"header": header,
85 85 "footer": footer,
86 86 "motd": motd,
87 87 "url": url})
88 88
89 89 def archivelist(ui, nodeid, url):
90 allowed = ui.configlist("web", "allow_archive")
90 allowed = ui.configlist("web", "allow_archive", untrusted=True)
91 91 for i in [('zip', '.zip'), ('gz', '.tar.gz'), ('bz2', '.tar.bz2')]:
92 if i[0] in allowed or ui.configbool("web", "allow" + i[0]):
92 if i[0] in allowed or ui.configbool("web", "allow" + i[0],
93 untrusted=True):
93 94 yield {"type" : i[0], "extension": i[1],
94 95 "node": nodeid, "url": url}
95 96
96 97 def entries(sortcolumn="", descending=False, **map):
97 98 def sessionvars(**map):
98 99 fields = []
99 100 if req.form.has_key('style'):
100 101 style = req.form['style'][0]
101 102 if style != get('web', 'style', ''):
102 103 fields.append(('style', style))
103 104
104 105 separator = url[-1] == '?' and ';' or '?'
105 106 for name, value in fields:
106 107 yield dict(name=name, value=value, separator=separator)
107 108 separator = ';'
108 109
109 110 rows = []
110 111 parity = 0
111 112 for name, path in self.repos:
112 113 u = ui.ui()
113 114 try:
114 115 u.readconfig(os.path.join(path, '.hg', 'hgrc'))
115 116 except IOError:
116 117 pass
117 get = u.config
118 def get(section, name, default=None):
119 return u.config(section, name, default, untrusted=True)
118 120
119 121 url = ('/'.join([req.env["REQUEST_URI"].split('?')[0], name])
120 122 .replace("//", "/")) + '/'
121 123
122 124 # update time with local timezone
123 125 try:
124 126 d = (get_mtime(path), util.makedate()[1])
125 127 except OSError:
126 128 continue
127 129
128 130 contact = (get("ui", "username") or # preferred
129 131 get("web", "contact") or # deprecated
130 132 get("web", "author", "")) # also
131 133 description = get("web", "description", "")
132 134 name = get("web", "name", name)
133 135 row = dict(contact=contact or "unknown",
134 136 contact_sort=contact.upper() or "unknown",
135 137 name=name,
136 138 name_sort=name,
137 139 url=url,
138 140 description=description or "unknown",
139 141 description_sort=description.upper() or "unknown",
140 142 lastchange=d,
141 143 lastchange_sort=d[1]-d[0],
142 144 sessionvars=sessionvars,
143 145 archives=archivelist(u, "tip", url))
144 146 if (not sortcolumn
145 147 or (sortcolumn, descending) == self.repos_sorted):
146 148 # fast path for unsorted output
147 149 row['parity'] = parity
148 150 parity = 1 - parity
149 151 yield row
150 152 else:
151 153 rows.append((row["%s_sort" % sortcolumn], row))
152 154 if rows:
153 155 rows.sort()
154 156 if descending:
155 157 rows.reverse()
156 158 for key, row in rows:
157 159 row['parity'] = parity
158 160 parity = 1 - parity
159 161 yield row
160 162
161 163 virtual = req.env.get("PATH_INFO", "").strip('/')
162 164 if virtual.startswith('static/'):
163 165 static = os.path.join(templater.templatepath(), 'static')
164 166 fname = virtual[7:]
165 167 req.write(staticfile(static, fname, req) or
166 168 tmpl('error', error='%r not found' % fname))
167 169 elif virtual:
168 170 while virtual:
169 171 real = dict(self.repos).get(virtual)
170 172 if real:
171 173 break
172 174 up = virtual.rfind('/')
173 175 if up < 0:
174 176 break
175 177 virtual = virtual[:up]
176 178 if real:
177 179 req.env['REPO_NAME'] = virtual
178 180 try:
179 181 hgweb(real).run_wsgi(req)
180 182 except IOError, inst:
181 183 req.write(tmpl("error", error=inst.strerror))
182 184 except hg.RepoError, inst:
183 185 req.write(tmpl("error", error=str(inst)))
184 186 else:
185 187 req.write(tmpl("notfound", repo=virtual))
186 188 else:
187 189 if req.form.has_key('static'):
188 190 static = os.path.join(templater.templatepath(), "static")
189 191 fname = req.form['static'][0]
190 192 req.write(staticfile(static, fname, req)
191 193 or tmpl("error", error="%r not found" % fname))
192 194 else:
193 195 sortable = ["name", "description", "contact", "lastchange"]
194 196 sortcolumn, descending = self.repos_sorted
195 197 if req.form.has_key('sort'):
196 198 sortcolumn = req.form['sort'][0]
197 199 descending = sortcolumn.startswith('-')
198 200 if descending:
199 201 sortcolumn = sortcolumn[1:]
200 202 if sortcolumn not in sortable:
201 203 sortcolumn = ""
202 204
203 205 sort = [("sort_%s" % column,
204 206 "%s%s" % ((not descending and column == sortcolumn)
205 207 and "-" or "", column))
206 208 for column in sortable]
207 209 req.write(tmpl("index", entries=entries,
208 210 sortcolumn=sortcolumn, descending=descending,
209 211 **dict(sort)))
General Comments 0
You need to be logged in to leave comments. Login now