upstream/mercurial-mirror Files · tests/killdaemons.py

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...

dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

Yuya Nishihara - - Load All Authors

File last commit:

r29811:4ddfb730 default


                r32050:77eaf953

4.1.3 stable

Download file

             killdaemons.py
        
                    104 lines
            
             | 3.3 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / tests / killdaemons.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      #!/usr/bin/env python

      from __future__ import absolute_import

      import errno

      import os

      import signal

      import sys

      import time

      if os.name =='nt':

          import ctypes

          def _check(ret, expectederr=None):

              if ret == 0:

                  winerrno = ctypes.GetLastError()

                  if winerrno == expectederr:

                      return True

                  raise ctypes.WinError(winerrno)

          def kill(pid, logfn, tryhard=True):

              logfn('# Killing daemon process %d' % pid)

              PROCESS_TERMINATE = 1

              PROCESS_QUERY_INFORMATION = 0x400

              SYNCHRONIZE = 0x00100000

              WAIT_OBJECT_0 = 0

              WAIT_TIMEOUT = 258

              handle = ctypes.windll.kernel32.OpenProcess(

                      PROCESS_TERMINATE|SYNCHRONIZE|PROCESS_QUERY_INFORMATION,

                      False, pid)

              if handle == 0:

                  _check(0, 87) # err 87 when process not found

                  return # process not found, already finished

              try:

                  r = ctypes.windll.kernel32.WaitForSingleObject(handle, 100)

                  if r == WAIT_OBJECT_0:

                      pass # terminated, but process handle still available

                  elif r == WAIT_TIMEOUT:

                      _check(ctypes.windll.kernel32.TerminateProcess(handle, -1))

                  else:

                      _check(r)

                  # TODO?: forcefully kill when timeout

                  #        and ?shorter waiting time? when tryhard==True

                  r = ctypes.windll.kernel32.WaitForSingleObject(handle, 100)

                                                             # timeout = 100 ms

                  if r == WAIT_OBJECT_0:

                      pass # process is terminated

                  elif r == WAIT_TIMEOUT:

                      logfn('# Daemon process %d is stuck')

                  else:

                      _check(r) # any error

              except: #re-raises

                  ctypes.windll.kernel32.CloseHandle(handle) # no _check, keep error

                  raise

              _check(ctypes.windll.kernel32.CloseHandle(handle))

      else:

          def kill(pid, logfn, tryhard=True):

              try:

                  os.kill(pid, 0)

                  logfn('# Killing daemon process %d' % pid)

                  os.kill(pid, signal.SIGTERM)

                  if tryhard:

                      for i in range(10):

                          time.sleep(0.05)

                          os.kill(pid, 0)

                  else:

                      time.sleep(0.1)

                      os.kill(pid, 0)

                  logfn('# Daemon process %d is stuck - really killing it' % pid)

                  os.kill(pid, signal.SIGKILL)

              except OSError as err:

                  if err.errno != errno.ESRCH:

                      raise

      def killdaemons(pidfile, tryhard=True, remove=False, logfn=None):

          if not logfn:

              logfn = lambda s: s

          # Kill off any leftover daemon processes

          try:

              fp = open(pidfile)

              for line in fp:

                  try:

                      pid = int(line)

                      if pid <= 0:

                          raise ValueError

                  except ValueError:

                      logfn('# Not killing daemon process %s - invalid pid'

                            % line.rstrip())

                      continue

                  kill(pid, logfn, tryhard)

              fp.close()

              if remove:

                  os.unlink(pidfile)

          except IOError:

              pass

      if __name__ == '__main__':

          if len(sys.argv) > 1:

              path, = sys.argv[1:]

          else:

              path = os.environ["DAEMON_PIDS"]

          killdaemons(path)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				#!/usr/bin/env python

				from __future__ import absolute_import
				import errno
				import os
				import signal
				import sys
				import time

				if os.name =='nt':
				import ctypes

				def _check(ret, expectederr=None):
				if ret == 0:
				winerrno = ctypes.GetLastError()
				if winerrno == expectederr:
				return True
				raise ctypes.WinError(winerrno)

				def kill(pid, logfn, tryhard=True):
				logfn('# Killing daemon process %d' % pid)
				PROCESS_TERMINATE = 1
				PROCESS_QUERY_INFORMATION = 0x400
				SYNCHRONIZE = 0x00100000
				WAIT_OBJECT_0 = 0
				WAIT_TIMEOUT = 258
				handle = ctypes.windll.kernel32.OpenProcess(
				PROCESS_TERMINATE\|SYNCHRONIZE\|PROCESS_QUERY_INFORMATION,
				False, pid)
				if handle == 0:
				_check(0, 87) # err 87 when process not found
				return # process not found, already finished
				try:
				r = ctypes.windll.kernel32.WaitForSingleObject(handle, 100)
				if r == WAIT_OBJECT_0:
				pass # terminated, but process handle still available
				elif r == WAIT_TIMEOUT:
				_check(ctypes.windll.kernel32.TerminateProcess(handle, -1))
				else:
				_check(r)

				# TODO?: forcefully kill when timeout
				# and ?shorter waiting time? when tryhard==True
				r = ctypes.windll.kernel32.WaitForSingleObject(handle, 100)
				# timeout = 100 ms
				if r == WAIT_OBJECT_0:
				pass # process is terminated
				elif r == WAIT_TIMEOUT:
				logfn('# Daemon process %d is stuck')
				else:
				_check(r) # any error
				except: #re-raises
				ctypes.windll.kernel32.CloseHandle(handle) # no _check, keep error
				raise
				_check(ctypes.windll.kernel32.CloseHandle(handle))

				else:
				def kill(pid, logfn, tryhard=True):
				try:
				os.kill(pid, 0)
				logfn('# Killing daemon process %d' % pid)
				os.kill(pid, signal.SIGTERM)
				if tryhard:
				for i in range(10):
				time.sleep(0.05)
				os.kill(pid, 0)
				else:
				time.sleep(0.1)
				os.kill(pid, 0)
				logfn('# Daemon process %d is stuck - really killing it' % pid)
				os.kill(pid, signal.SIGKILL)
				except OSError as err:
				if err.errno != errno.ESRCH:
				raise

				def killdaemons(pidfile, tryhard=True, remove=False, logfn=None):
				if not logfn:
				logfn = lambda s: s
				# Kill off any leftover daemon processes
				try:
				fp = open(pidfile)
				for line in fp:
				try:
				pid = int(line)
				if pid <= 0:
				raise ValueError
				except ValueError:
				logfn('# Not killing daemon process %s - invalid pid'
				% line.rstrip())
				continue
				kill(pid, logfn, tryhard)
				fp.close()
				if remove:
				os.unlink(pidfile)
				except IOError:
				pass

				if __name__ == '__main__':
				if len(sys.argv) > 1:
				path, = sys.argv[1:]
				else:
				path = os.environ["DAEMON_PIDS"]

				killdaemons(path)