##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r30907:75149f84 stable
r32050:77eaf953 4.1.3 stable
Show More
hg.1.txt
119 lines | 3.1 KiB | text/plain | TextLexer
====
hg
====
---------------------------------------
Mercurial source code management system
---------------------------------------
:Author: Matt Mackall <mpm@selenic.com>
:Organization: Mercurial
:Manual section: 1
:Manual group: Mercurial Manual
.. contents::
:backlinks: top
:class: htmlonly
:depth: 1
Synopsis
""""""""
**hg** *command* [*option*]... [*argument*]...
Description
"""""""""""
The **hg** command provides a command line interface to the Mercurial
system.
Command Elements
""""""""""""""""
files...
indicates one or more filename or relative path filenames; see
`File Name Patterns`_ for information on pattern matching
path
indicates a path on the local machine
revision
indicates a changeset which can be specified as a changeset
revision number, a tag, or a unique substring of the changeset
hash value
repository path
either the pathname of a local repository or the URI of a remote
repository.
.. include:: hg.1.gendoc.txt
Files
"""""
``/etc/mercurial/hgrc``, ``$HOME/.hgrc``, ``.hg/hgrc``
This file contains defaults and configuration. Values in
``.hg/hgrc`` override those in ``$HOME/.hgrc``, and these override
settings made in the global ``/etc/mercurial/hgrc`` configuration.
See |hgrc(5)|_ for details of the contents and format of these
files.
``.hgignore``
This file contains regular expressions (one per line) that
describe file names that should be ignored by **hg**. For details,
see |hgignore(5)|_.
``.hgsub``
This file defines the locations of all subrepositories, and
tells where the subrepository checkouts came from. For details, see
:hg:`help subrepos`.
``.hgsubstate``
This file is where Mercurial stores all nested repository states. *NB: This
file should not be edited manually.*
``.hgtags``
This file contains changeset hash values and text tag names (one
of each separated by spaces) that correspond to tagged versions of
the repository contents. The file content is encoded using UTF-8.
``.hg/last-message.txt``
This file is used by :hg:`commit` to store a backup of the commit message
in case the commit fails.
``.hg/localtags``
This file can be used to define local tags which are not shared among
repositories. The file format is the same as for ``.hgtags``, but it is
encoded using the local system encoding.
Some commands (e.g. revert) produce backup files ending in ``.orig``,
if the ``.orig`` file already exists and is not tracked by Mercurial,
it will be overwritten.
Bugs
""""
Probably lots, please post them to the mailing list (see Resources_
below) when you find them.
See Also
""""""""
|hgignore(5)|_, |hgrc(5)|_
Author
""""""
Written by Matt Mackall <mpm@selenic.com>
Resources
"""""""""
Main Web Site: https://mercurial-scm.org/
Source code repository: https://www.mercurial-scm.org/repo/hg
Mailing list: https://www.mercurial-scm.org/mailman/listinfo/mercurial/
Copying
"""""""
Copyright (C) 2005-2017 Matt Mackall.
Free use of this software is granted under the terms of the GNU General
Public License version 2 or any later version.
.. include:: common.txt