Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
mercurial
hg-r36754.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File hg-r36754.patch of Package mercurial
# HG changeset patch # User Gregory Szorc <gregory.szorc@gmail.com> # Date 1519181667 28800 # Tue Feb 20 18:54:27 2018 -0800 # Branch stable # Node ID e3c228b4510db166179fbc3e8a15033adb3104aa # Parent 742ce6fbc109cc1d0944292e73fcaa1c7291b90d wireproto: declare operation type for most commands (BC) (SEC) The permissions model of hgweb relies on a dictionary to declare the operation associated with each command - either "pull" or "push." This dictionary was established by d3147b4e3e8a in 2008. Unfortunately, we neglected to update this dictionary as new wire protocol commands were introduced. This commit defines the operations of most wire protocol commands in the permissions dictionary. The "batch" command is omitted because it is special and requires a more complex solution. Since permissions checking is skipped unless a command has an entry in this dictionary (this security issue will be addressed in a subsequent commit), the practical effect of this change is that various wire protocol commands now HTTP 401 if web.deny_read or web.allow-pull, etc are set to deny access. This is reflected by test changes. Note how various `hg pull` and `hg push` operations now fail before discovery. (They fail during the initial "capabilities" request.) This change fixes a security issue where built-in wire protocol commands would return repository data even if the web config were configured to deny access to that data. I'm on the fence as to whether we should HTTP 401 the capabilities request. On one hand, it can expose repository metadata and can tell callers things like what version of Mercurial the server is running. On the other hand, a client may need to know the capabilities in order to authenticate in a follow-up request. It appears that Mercurial clients handle the HTTP 401 on *any* protocol request, so we should be OK sending a 401 for "capabilities." But if this causes problems, it should be possible to allow "capabilities" to always work. .. bc:: Various read-only wire protocol commands now return HTTP 401 Unauthorized if the hgweb configuration denies read/pull access to the repository. Previously, various wire protocol commands would still work and return data if read access was disabled. --- hgext/largefiles/uisetup.py | 1 + mercurial/wireproto.py | 8 ++++++++ 2 files changed, 9 insertions(+) --- a/hgext/largefiles/uisetup.py +++ b/hgext/largefiles/uisetup.py @@ -137,6 +137,7 @@ def uisetup(ui): wireproto.permissions['putlfile'] = 'push' wireproto.permissions['getlfile'] = 'pull' wireproto.permissions['statlfile'] = 'pull' + wireproto.permissions['lheads'] = 'pull' extensions.wrapfunction(webcommands, 'decodepath', overrides.decodepath) --- a/mercurial/wireproto.py +++ b/mercurial/wireproto.py @@ -669,10 +669,18 @@ commands = { 'unbundle': (unbundle, 'heads'), } +permissions['between'] = 'pull' +permissions['branches'] = 'pull' +permissions['capabilities'] = 'pull' permissions['changegroup'] = 'pull' permissions['changegroupsubset'] = 'pull' +permissions['debugwireargs'] = 'pull' permissions['getbundle'] = 'pull' +permissions['known'] = 'pull' +permissions['heads'] = 'pull' +permissions['hello'] = 'pull' permissions['listkeys'] = 'pull' +permissions['lookup'] = 'pull' permissions['pushkey'] = 'push' permissions['stream_out'] = 'pull' permissions['unbundle'] = 'push'
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor