##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

dispatch: protect against malicious 'hg serve --stdio' invocations (sec)...
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.
FUJIWARA Katsunori - - Load All Authors

File last commit:

r30907:75149f84 stable
r32050:77eaf953 4.1.3 stable
Show More
ReadMe.html
162 lines | 4.6 KiB | text/html | HtmlLexer
/ contrib / win32 / ReadMe.html
History | Annotation | Raw |Copy content |Copy permalink
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Mercurial for Windows</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<style type="text/css">
<!--
html {
font-family: sans-serif;
margin: 1em 2em;
}
p {
margin-top: 0.5em;
margin-bottom: 0.5em;
}
pre {
margin: 0.25em 0em;
padding: 0.5em;
background-color: #EEE;
border: thin solid #CCC;
}
.indented {
padding-left: 10pt;
}
-->
</style>
</head>
<body>
<h1>Mercurial for Windows</h1>
<p>Welcome to Mercurial for Windows!</p>
<p>
Mercurial is a command-line application. You must run it from
the Windows command prompt (or if you're hard core, a <a
href="http://www.mingw.org/">MinGW</a> shell).
</p>
<p class="indented">
<i>Note: the standard <a href="http://www.mingw.org/">MinGW</a>
msys startup script uses rxvt which has problems setting up
standard input and output. Running bash directly works
correctly.</i>
</p>
<p>
For documentation, please visit the <a
href="https://mercurial-scm.org/">Mercurial web site</a>.
You can also download a free book, <a
href="http://hgbook.red-bean.com/">Mercurial: The Definitive
Guide</a>.
</p>
<p>
By default, Mercurial installs to <tt>C:\Program
Files\Mercurial</tt>. The Mercurial command is called
<tt>hg.exe</tt>.
</p>
<h1>Testing Mercurial after you've installed it</h1>
<p>
The easiest way to check that Mercurial is installed properly is
to just type the following at the command prompt:
</p>
<pre>
hg
</pre>
<p>
This command should print a useful help message. If it does,
other Mercurial commands should work fine for you.
</p>
<h1>Configuration notes</h1>
<h4>Default editor</h4>
<p>
The default editor for commit messages is 'notepad'. You can set
the <tt>EDITOR</tt> (or <tt>HGEDITOR</tt>) environment variable
to specify your preference or set it in <tt>mercurial.ini</tt>:
</p>
<pre>
[ui]
editor = whatever
</pre>
<h4>Configuring a Merge program</h4>
<p>
It should be emphasized that Mercurial by itself doesn't attempt
to do a Merge at the file level, neither does it make any
attempt to Resolve the conflicts.
</p>
<p>
By default, Mercurial will use the merge program defined by the
<tt>HGMERGE</tt> environment variable, or uses the one defined
in the <tt>mercurial.ini</tt> file. (see <a
href="https://mercurial-scm.org/wiki/MergeProgram">MergeProgram</a>
on the Mercurial Wiki for more information)
</p>
<h1>Reporting problems</h1>
<p>
Before you report any problems, please consult the <a
href="https://mercurial-scm.org/">Mercurial web site</a>
and see if your question is already in our list of <a
href="https://mercurial-scm.org/wiki/FAQ">Frequently
Answered Questions</a> (the "FAQ").
</p>
<p>
If you cannot find an answer to your question, please feel free
to send mail to the Mercurial mailing list, at <a
href="mailto:mercurial@mercurial-scm.org">mercurial@mercurial-scm.org</a>.
<b>Remember</b>, the more useful information you include in your
report, the easier it will be for us to help you!
</p>
<p>
If you are IRC-savvy, that's usually the fastest way to get
help. Go to <tt>#mercurial</tt> on <tt>irc.freenode.net</tt>.
</p>
<h1>Author and copyright information</h1>
<p>
Mercurial was written by <a href="http://www.selenic.com">Matt
Mackall</a>, and is maintained by Matt and a team of volunteers.
</p>
<p>
The Windows installer was written by <a
href="http://www.serpentine.com/blog">Bryan O'Sullivan</a>.
</p>
<p>
Mercurial is Copyright 2005-2017 Matt Mackall and others. See
the <tt>Contributors.txt</tt> file for a list of contributors.
</p>
<p>
Mercurial is free software; you can redistribute it and/or
modify it under the terms of the <a
href="http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt">GNU
General Public License version 2</a> or any later version.
</p>
<p>
Mercurial is distributed in the hope that it will be useful, but
<b>without any warranty</b>; without even the implied warranty
of <b>merchantability</b> or <b>fitness for a particular
purpose</b>. See the GNU General Public License for more
details.
</p>
</body>
</html>