##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r30647:1914db1b stable
r32050:77eaf953 4.1.3 stable
Show More
test-demandimport.py
89 lines | 2.3 KiB | text/x-python | PythonLexer
/ tests / test-demandimport.py
from __future__ import print_function
from mercurial import demandimport
demandimport.enable()
import os
import subprocess
import sys
# Only run if demandimport is allowed
if subprocess.call(['python', '%s/hghave' % os.environ['TESTDIR'],
'demandimport']):
sys.exit(80)
if os.name != 'nt':
try:
import distutils.msvc9compiler
print('distutils.msvc9compiler needs to be an immediate '
'importerror on non-windows platforms')
distutils.msvc9compiler
except ImportError:
pass
import re
rsub = re.sub
def f(obj):
l = repr(obj)
l = rsub("0x[0-9a-fA-F]+", "0x?", l)
l = rsub("from '.*'", "from '?'", l)
l = rsub("'<[a-z]*>'", "'<whatever>'", l)
return l
import os
print("os =", f(os))
print("os.system =", f(os.system))
print("os =", f(os))
from mercurial import util
print("util =", f(util))
print("util.system =", f(util.system))
print("util =", f(util))
print("util.system =", f(util.system))
from mercurial import hgweb
print("hgweb =", f(hgweb))
print("hgweb_mod =", f(hgweb.hgweb_mod))
print("hgweb =", f(hgweb))
import re as fred
print("fred =", f(fred))
import sys as re
print("re =", f(re))
print("fred =", f(fred))
print("fred.sub =", f(fred.sub))
print("fred =", f(fred))
print("re =", f(re))
print("re.stderr =", f(re.stderr))
print("re =", f(re))
import contextlib
print("contextlib =", f(contextlib))
try:
from contextlib import unknownattr
print('no demandmod should be created for attribute of non-package '
'module:\ncontextlib.unknownattr =', f(unknownattr))
except ImportError as inst:
print('contextlib.unknownattr = ImportError: %s'
% rsub(r"'", '', str(inst)))
# Unlike the import statement, __import__() function should not raise
# ImportError even if fromlist has an unknown item
# (see Python/import.c:import_module_level() and ensure_fromlist())
contextlibimp = __import__('contextlib', globals(), locals(), ['unknownattr'])
print("__import__('contextlib', ..., ['unknownattr']) =", f(contextlibimp))
print("hasattr(contextlibimp, 'unknownattr') =",
util.safehasattr(contextlibimp, 'unknownattr'))
demandimport.disable()
os.environ['HGDEMANDIMPORT'] = 'disable'
# this enable call should not actually enable demandimport!
demandimport.enable()
from mercurial import node
print("node =", f(node))