upstream/mercurial-mirror Commit - r15008:d0424f39

merge with stable

Matt Mackall -

r15008:d0424f39 default

parent child

.hgsigs

0 +1 0

 cb1e95676ad089596bd81d0937cad37d6e3b7fb 0 iD8DBQBNvTy4ywK+sNU5EO8RAmp8AJ9QnxK4jTJ7G722MyeBxf0UXEdGwACgtlM7BKtNQfbEH/fOW5y+45W88VI=
 af5d9f6b22387913e1d11350fb8cb7c1487dd 0 iD8DBQBN5q/8ywK+sNU5EO8RArRGAKCNGT94GKIYtSuwZ57z1sQbcw6uLACfffpbMV4NAPMl8womAwg+7ZPKnIU=
             de9eb6b1da4fc522b1cab16d86ca166204c24f25 0 iD8DBQBODhfhywK+sNU5EO8RAr2+AJ4ugbAj8ae8/K0bYZzx3sascIAg1QCeK3b+zbbVVqd3b7CDpwFnaX8kTd4=
+a43e23b8c55b4566b8200bf69fe2158485a2634 0 iD8DBQBONzIMywK+sNU5EO8RAj5SAJ0aPS3+JHnyI6bHB2Fl0LImbDmagwCdGbDLp1S7TFobxXudOH49bX45Iik=

.hgtags

0 +1 0

 cb1e95676ad089596bd81d0937cad37d6e3b7fb 1.8.3
 af5d9f6b22387913e1d11350fb8cb7c1487dd 1.8.4
             de9eb6b1da4fc522b1cab16d86ca166204c24f25 1.9
+a43e23b8c55b4566b8200bf69fe2158485a2634 1.9.1

mercurial/help/config.txt

0 +10 -1

                 Optional. Username to authenticate with. If not given, and the
                 remote site requires basic or digest authentication, the user will
                 be prompted for it. Environment variables are expanded in the
-                username letting you do ``foo.username = $USER``.
+                username letting you do ``foo.username = $USER``. If the URI
+                includes a username, only ``[auth]`` entries with a matching
+                username or without a username will be considered.
             ``password``
                 Optional. Password to authenticate with. If not given, and the
                 be present in this list. The contents of the allow_push list are
                 examined after the deny_push list.
+            ``guessmime``
+                Control MIME types for raw download of file content.
+                Set to True to let hgweb guess the content type from the file
+                extension. This will serve HTML files as ``text/html`` and might
+                allow cross-site scripting attacks when serving untrusted
+                repositories. Default is False.
             ``allow_read``
                 If the user has not already been denied repository access due to
                 the contents of deny_read, this list determines whether to grant

mercurial/hgweb/webcommands.py

0 +7 -3

                     return changelog(web, req, tmpl)
             def rawfile(web, req, tmpl):
+                guessmime = web.configbool('web', 'guessmime', False)
                 path = webutil.cleanpath(web.repo, req.form.get('file', [''])[0])
                 if not path:
                     content = manifest(web, req, tmpl)
                 path = fctx.path()
                 text = fctx.data()
-                mt = mimetypes.guess_type(path)[0]
+                mt = 'application/binary'
-                if mt is None:
+                if guessmime:
-                    mt = binary(text) and 'application/octet-stream' or 'text/plain'
+                    mt = mimetypes.guess_type(path)[0]
+                    if mt is None:
+                        mt = binary(text) and 'application/binary' or 'text/plain'
                 if mt.startswith('text/'):
                     mt += '; charset="%s"' % encoding.encoding

mercurial/httpconnection.py

0 +15 -1

                     gdict[setting] = val
                 # Find the best match
+                uri = util.url(uri)
+                user = uri.user
+                uri.user = uri.password = None
+                uri = str(uri)
                 scheme, hostpath = uri.split('://', 1)
+                bestuser = None
                 bestlen = 0
                 bestauth = None
                 for group, auth in config.iteritems():
+                    if user and user != auth.get('username', user):
+                        # If a username was set in the URI, the entry username
+                        # must either match it or be unset
+                        continue
                     prefix = auth.get('prefix')
                     if not prefix:
                         continue
                     else:
                         schemes = (auth.get('schemes') or 'https').split()
                     if (prefix == '*' or hostpath.startswith(prefix)) and \
-                        len(prefix) > bestlen and scheme in schemes:
+                        (len(prefix) > bestlen or (len(prefix) == bestlen and \
+                            not bestuser and 'username' in auth)) \
+                         and scheme in schemes:
                         bestlen = len(prefix)
                         bestauth = group, auth
+                        bestuser = auth.get('username')
+                        if user and not bestuser:
+                            auth['username'] = user
                 return bestauth
             # Mercurial (at least until we can remove the old codepath) requires

mercurial/url.py

0 +1 -1

                         self._writedebug(user, passwd)
                         return (user, passwd)
-                    if not user:
+                    if not user or not passwd:
                         res = httpconnectionmod.readauthforuri(self.ui, authuri)
                         if res:
                             group, auth = res

tests/test-hgweb-auth.py

0 +42 -9

@@ -1,5 +1,5 b''
1	from mercurial import demandimport; demandimport.enable()	1	from mercurial import demandimport; demandimport.enable()
2	from mercurial import ui	2	from mercurial import ui, util
3	from mercurial import url	3	from mercurial import url
4	from mercurial.error import Abort	4	from mercurial.error import Abort
5		5
@@ -19,13 +19,16 b' def dumpdict(dict):'
19	return '{' + ', '.join(['%s: %s' % (k, dict[k])	19	return '{' + ', '.join(['%s: %s' % (k, dict[k])
20	for k in sorted(dict.iterkeys())]) + '}'	20	for k in sorted(dict.iterkeys())]) + '}'
21		21
22	def test(auth):	22	def test(auth, urls=None):
23	print 'CFG:', dumpdict(auth)	23	print 'CFG:', dumpdict(auth)
24	prefixes = set()	24	prefixes = set()
25	for k in auth:	25	for k in auth:
26	prefixes.add(k.split('.', 1)[0])	26	prefixes.add(k.split('.', 1)[0])
27	for p in prefixes:	27	for p in prefixes:
28	~~auth~~.~~update~~({p + '.username': p, p + '.password': p})	28	for name in ('.username', '.password'):
		29	if (p + name) not in auth:
		30	auth[p + name] = p
		31	auth = dict((k, v) for k, v in auth.iteritems() if v is not None)
29		32
30	ui = writeauth(auth)	33	ui = writeauth(auth)
31		34
@@ -33,16 +36,26 b' def test(auth):'
33	print 'URI:', uri	36	print 'URI:', uri
34	try:	37	try:
35	pm = url.passwordmgr(ui)	38	pm = url.passwordmgr(ui)
		39	authinfo = util.url(uri).authinfo()[1]
		40	if authinfo is not None:
		41	pm.add_password(*authinfo)
36	print ' ', pm.find_user_password('test', uri)	42	print ' ', pm.find_user_password('test', uri)
37	except Abort, e:	43	except Abort, e:
38	print 'abort'	44	print 'abort'
39		45
40	_test('http://example.org/foo')	46	if not urls:
41	_test('http://example.org/foo/bar')	47	urls = [
42	~~_test~~('http://example.org/~~bar~~')	48	'http://example.org/foo',
43	~~_test~~('https://example.org/foo')	49	'http://example.org/foo/bar',
44	~~_test~~('https://example.org~~/foo~~/bar')	50	'http://example.org/bar',
45	~~_test~~('https://example.org/~~bar~~')	51	'https://example.org/foo',
		52	'https://example.org/foo/bar',
		53	'https://example.org/bar',
		54	'https://x@example.org/bar',
		55	'https://y@example.org/bar',
		56	]
		57	for u in urls:
		58	_test(u)
46		59
47		60
48	print '\n*** Test in-uri schemes\n'	61	print '\n*** Test in-uri schemes\n'
@@ -62,3 +75,23 b" test({'x.prefix': 'http://example.org/fo"
62	test({'x.prefix': 'http://example.org/foo',	75	test({'x.prefix': 'http://example.org/foo',
63	'y.prefix': 'http://example.org/foo/bar'})	76	'y.prefix': 'http://example.org/foo/bar'})
64	test({'x.prefix': '*', 'y.prefix': 'https://example.org/bar'})	77	test({'x.prefix': '*', 'y.prefix': 'https://example.org/bar'})
		78
		79	print '\n*** Test user matching\n'
		80	test({'x.prefix': 'http://example.org/foo',
		81	'x.username': None,
		82	'x.password': 'xpassword'},
		83	urls=['http://y@example.org/foo'])
		84	test({'x.prefix': 'http://example.org/foo',
		85	'x.username': None,
		86	'x.password': 'xpassword',
		87	'y.prefix': 'http://example.org/foo',
		88	'y.username': 'y',
		89	'y.password': 'ypassword'},
		90	urls=['http://y@example.org/foo'])
		91	test({'x.prefix': 'http://example.org/foo/bar',
		92	'x.username': None,
		93	'x.password': 'xpassword',
		94	'y.prefix': 'http://example.org/foo',
		95	'y.username': 'y',
		96	'y.password': 'ypassword'},
		97	urls=['http://y@example.org/foo/bar'])

tests/test-hgweb-auth.py.out

0 +52 0

                  abort
             URI: https://example.org/bar
                  abort
+            URI: https://x@example.org/bar
+                 abort
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: https://example.org}
             URI: http://example.org/foo
                  abort
                  ('x', 'x')
             URI: https://example.org/bar
                  ('x', 'x')
+            URI: https://x@example.org/bar
+                 ('x', 'x')
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: http://example.org, x.schemes: https}
             URI: http://example.org/foo
                  ('x', 'x')
                  abort
             URI: https://example.org/bar
                  abort
+            URI: https://x@example.org/bar
+                 abort
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: https://example.org, x.schemes: http}
             URI: http://example.org/foo
                  abort
                  ('x', 'x')
             URI: https://example.org/bar
                  ('x', 'x')
+            URI: https://x@example.org/bar
+                 ('x', 'x')
+            URI: https://y@example.org/bar
+                 abort
             *** Test separately configured schemes
                  abort
             URI: https://example.org/bar
                  abort
+            URI: https://x@example.org/bar
+                 abort
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: example.org, x.schemes: https}
             URI: http://example.org/foo
                  abort
                  ('x', 'x')
             URI: https://example.org/bar
                  ('x', 'x')
+            URI: https://x@example.org/bar
+                 ('x', 'x')
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: example.org, x.schemes: http https}
             URI: http://example.org/foo
                  ('x', 'x')
                  ('x', 'x')
             URI: https://example.org/bar
                  ('x', 'x')
+            URI: https://x@example.org/bar
+                 ('x', 'x')
+            URI: https://y@example.org/bar
+                 abort
             *** Test prefix matching
                  abort
             URI: https://example.org/bar
                  abort
+            URI: https://x@example.org/bar
+                 abort
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: http://example.org/foo, y.prefix: http://example.org/foo/bar}
             URI: http://example.org/foo
                  ('x', 'x')
                  abort
             URI: https://example.org/bar
                  abort
+            URI: https://x@example.org/bar
+                 abort
+            URI: https://y@example.org/bar
+                 abort
             CFG: {x.prefix: *, y.prefix: https://example.org/bar}
             URI: http://example.org/foo
                  abort
                  ('x', 'x')
             URI: https://example.org/bar
                  ('y', 'y')
+            URI: https://x@example.org/bar
+                 ('x', 'x')
+            URI: https://y@example.org/bar
+                 ('y', 'y')
+            *** Test user matching
+            CFG: {x.password: xpassword, x.prefix: http://example.org/foo, x.username: None}
+            URI: http://y@example.org/foo
+                 ('y', 'xpassword')
+            CFG: {x.password: xpassword, x.prefix: http://example.org/foo, x.username: None, y.password: ypassword, y.prefix: http://example.org/foo, y.username: y}
+            URI: http://y@example.org/foo
+                 ('y', 'ypassword')
+            CFG: {x.password: xpassword, x.prefix: http://example.org/foo/bar, x.username: None, y.password: ypassword, y.prefix: http://example.org/foo, y.username: y}
+            URI: http://y@example.org/foo/bar
+                 ('y', 'xpassword')

tests/test-hgweb-raw.t

0 +22 0

@@ -22,6 +22,28 b' Test raw style of hgweb'
22	$ sleep 1 # wait for server to scream and die	22	$ sleep 1 # wait for server to scream and die
23	$ cat getoutput.txt	23	$ cat getoutput.txt
24	200 Script output follows	24	200 Script output follows
		25	content-type: application/binary
		26	content-length: 157
		27	content-disposition: inline; filename="some \"text\".txt"
		28
		29	This is just some random text
		30	that will go inside the file and take a few lines.
		31	It is very boring to read, but computers don't
		32	care about things like that.
		33	$ cat access.log error.log
		34	127.0.0.1 - - [*] "GET /?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw HTTP/1.1" 200 - (glob)
		35
		36	$ rm access.log error.log
		37	$ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid \
		38	> --config web.guessmime=True
		39
		40	$ cat hg.pid >> $DAEMON_PIDS
		41	$ ("$TESTDIR/get-with-headers.py" localhost:$HGPORT '/?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw' content-type content-length content-disposition) >getoutput.txt &
		42	$ sleep 5
		43	$ kill `cat hg.pid`
		44	$ sleep 1 # wait for server to scream and die
		45	$ cat getoutput.txt
		46	200 Script output follows
25	content-type: text/plain; charset="ascii"	47	content-type: text/plain; charset="ascii"
26	content-length: 157	48	content-length: 157
27	content-disposition: inline; filename="some \"text\".txt"	49	content-disposition: inline; filename="some \"text\".txt"

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages