##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r29100:3fd94f60 default
r32050:77eaf953 4.1.3 stable
Show More
dirstatenonnormalcheck.py
57 lines | 2.6 KiB | text/x-python | PythonLexer
/ contrib / dirstatenonnormalcheck.py
# dirstatenonnormalcheck.py - extension to check the consistency of the
# dirstate's non-normal map
#
# For most operations on dirstate, this extensions checks that the nonnormalset
# contains the right entries.
# It compares the nonnormal file to a nonnormalset built from the map of all
# the files in the dirstate to check that they contain the same files.
from __future__ import absolute_import
from mercurial import (
dirstate,
extensions,
)
def nonnormalentries(dmap):
"""Compute nonnormal entries from dirstate's dmap"""
res = set()
for f, e in dmap.iteritems():
if e[0] != 'n' or e[3] == -1:
res.add(f)
return res
def checkconsistency(ui, orig, dmap, _nonnormalset, label):
"""Compute nonnormalset from dmap, check that it matches _nonnormalset"""
nonnormalcomputedmap = nonnormalentries(dmap)
if _nonnormalset != nonnormalcomputedmap:
ui.develwarn("%s call to %s\n" % (label, orig), config='dirstate')
ui.develwarn("inconsistency in nonnormalset\n", config='dirstate')
ui.develwarn("[nonnormalset] %s\n" % _nonnormalset, config='dirstate')
ui.develwarn("[map] %s\n" % nonnormalcomputedmap, config='dirstate')
def _checkdirstate(orig, self, arg):
"""Check nonnormal set consistency before and after the call to orig"""
checkconsistency(self._ui, orig, self._map, self._nonnormalset, "before")
r = orig(self, arg)
checkconsistency(self._ui, orig, self._map, self._nonnormalset, "after")
return r
def extsetup(ui):
"""Wrap functions modifying dirstate to check nonnormalset consistency"""
dirstatecl = dirstate.dirstate
devel = ui.configbool('devel', 'all-warnings')
paranoid = ui.configbool('experimental', 'nonnormalparanoidcheck')
if devel:
extensions.wrapfunction(dirstatecl, '_writedirstate', _checkdirstate)
if paranoid:
# We don't do all these checks when paranoid is disable as it would
# make the extension run very slowly on large repos
extensions.wrapfunction(dirstatecl, 'normallookup', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'otherparent', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'normal', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'write', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'add', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'remove', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'merge', _checkdirstate)
extensions.wrapfunction(dirstatecl, 'drop', _checkdirstate)