##// END OF EJS Templates
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

File last commit:

r31814:07872262 default
r32050:77eaf953 4.1.3 stable
Show More
test-push-http-bundle1.t
203 lines | 5.5 KiB | text/troff | Tads3Lexer
/ tests / test-push-http-bundle1.t
#require killdaemons
This test checks behavior related to bundle1 that changed or is likely
to change with bundle2. Feel free to factor out any part of the test
which does not need to exist to keep bundle1 working.
$ cat << EOF >> $HGRCPATH
> [devel]
> # This test is dedicated to interaction through old bundle
> legacy.exchange = bundle1
> EOF
$ hg init test
$ cd test
$ echo a > a
$ hg ci -Ama
adding a
$ cd ..
$ hg clone test test2
updating to branch default
1 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ cd test2
$ echo a >> a
$ hg ci -mb
$ req() {
> hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log
> cat hg.pid >> $DAEMON_PIDS
> hg --cwd ../test2 push http://localhost:$HGPORT/
> exitstatus=$?
> killdaemons.py
> echo % serve errors
> cat errors.log
> return $exitstatus
> }
$ cd ../test
expect ssl error
$ req
pushing to http://localhost:$HGPORT/
searching for changes
abort: HTTP Error 403: ssl required
% serve errors
[255]
expect authorization error
$ echo '[web]' > .hg/hgrc
$ echo 'push_ssl = false' >> .hg/hgrc
$ req
pushing to http://localhost:$HGPORT/
searching for changes
abort: authorization failed
% serve errors
[255]
expect authorization error: must have authorized user
$ echo 'allow_push = unperson' >> .hg/hgrc
$ req
pushing to http://localhost:$HGPORT/
searching for changes
abort: authorization failed
% serve errors
[255]
expect success
$ cat >> .hg/hgrc <<EOF
> allow_push = *
> [hooks]
> changegroup = sh -c "printenv.py changegroup 0"
> pushkey = sh -c "printenv.py pushkey 0"
> EOF
$ req
pushing to http://localhost:$HGPORT/
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
remote: changegroup hook: HG_NODE=ba677d0156c1196c1a699fa53f390dcfc3ce3872 HG_NODE_LAST=ba677d0156c1196c1a699fa53f390dcfc3ce3872 HG_SOURCE=serve HG_TXNID=TXN:* HG_URL=remote:http:127.0.0.1: (glob)
% serve errors
$ hg rollback
repository tip rolled back to revision 0 (undo serve)
expect success, server lacks the httpheader capability
$ CAP=httpheader
$ . "$TESTDIR/notcapable"
$ req
pushing to http://localhost:$HGPORT/
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
remote: changegroup hook: HG_NODE=ba677d0156c1196c1a699fa53f390dcfc3ce3872 HG_NODE_LAST=ba677d0156c1196c1a699fa53f390dcfc3ce3872 HG_SOURCE=serve HG_TXNID=TXN:* HG_URL=remote:http:127.0.0.1: (glob)
% serve errors
$ hg rollback
repository tip rolled back to revision 0 (undo serve)
expect success, server lacks the unbundlehash capability
$ CAP=unbundlehash
$ . "$TESTDIR/notcapable"
$ req
pushing to http://localhost:$HGPORT/
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
remote: changegroup hook: HG_NODE=ba677d0156c1196c1a699fa53f390dcfc3ce3872 HG_NODE_LAST=ba677d0156c1196c1a699fa53f390dcfc3ce3872 HG_SOURCE=serve HG_TXNID=TXN:* HG_URL=remote:http:127.0.0.1: (glob)
% serve errors
$ hg rollback
repository tip rolled back to revision 0 (undo serve)
expect success, pre-d1b16a746db6 server supports the unbundle capability, but
has no parameter
$ cat <<EOF > notcapable-unbundleparam.py
> from mercurial import extensions, httppeer
> def capable(orig, self, name):
> if name == 'unbundle':
> return True
> return orig(self, name)
> def uisetup(ui):
> extensions.wrapfunction(httppeer.httppeer, 'capable', capable)
> EOF
$ cp $HGRCPATH $HGRCPATH.orig
$ cat <<EOF >> $HGRCPATH
> [extensions]
> notcapable-unbundleparam = `pwd`/notcapable-unbundleparam.py
> EOF
$ req
pushing to http://localhost:$HGPORT/
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
remote: changegroup hook: * (glob)
% serve errors
$ hg rollback
repository tip rolled back to revision 0 (undo serve)
$ mv $HGRCPATH.orig $HGRCPATH
expect push success, phase change failure
$ cat > .hg/hgrc <<EOF
> [web]
> push_ssl = false
> allow_push = *
> [hooks]
> prepushkey = sh -c "printenv.py prepushkey 1"
> EOF
$ req
pushing to http://localhost:$HGPORT/
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
% serve errors
expect phase change success
$ cat >> .hg/hgrc <<EOF
> prepushkey = sh -c "printenv.py prepushkey 0"
> EOF
$ req
pushing to http://localhost:$HGPORT/
searching for changes
no changes found
% serve errors
[1]
$ hg rollback
repository tip rolled back to revision 0 (undo serve)
expect authorization error: all users denied
$ echo '[web]' > .hg/hgrc
$ echo 'push_ssl = false' >> .hg/hgrc
$ echo 'deny_push = *' >> .hg/hgrc
$ req
pushing to http://localhost:$HGPORT/
searching for changes
abort: authorization failed
% serve errors
[255]
expect authorization error: some users denied, users must be authenticated
$ echo 'deny_push = unperson' >> .hg/hgrc
$ req
pushing to http://localhost:$HGPORT/
searching for changes
abort: authorization failed
% serve errors
[255]
$ cd ..