File hg-CVE-2018-1000132.patch of Package mercurial.11266

Overview Repositories Revisions Requests Users Attributes Meta

File hg-CVE-2018-1000132.patch of Package mercurial.11266

# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1519003238 28800
# Node ID 2ecb0fc535b1ca08e0170a5df6085c44005beeeb
# Parent  ff4bc0ab6740cdba89be7bffc235e09f3719426e
hgweb: always perform permissions checks on protocol commands (BC) (SEC)

Previously, the HTTP request handling code would only perform
permissions checking on a wire protocol command if that wire protocol
command defined its permissions / operation type. This meant that
commands (possibly provided by extensions) not defining their
operation type would bypass permissions check. This could lead
to exfiltration of data from servers and mutating repositories that
were supposed to be read-only.

This security issue has been present since the permissions table
was introduced by d3147b4e3e8a in 2008.

This commit changes the behavior of the HTTP server to always
perform permissions checking for protocol requests. If an
explicit permission for a wire protocol command is not defined,
the server assumes the command can be used for writing and
governs access accordingly.

.. bc::

Wire protocol commands not defining their operation type in
   ``wireproto.PERMISSIONS`` are now assumed to be used for
   "push" operations and access control to run those commands
   is now enforced accordingly.

---
 mercurial/hgweb/hgweb_mod.py |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/mercurial/hgweb/hgweb_mod.py
+++ b/mercurial/hgweb/hgweb_mod.py
@@ -162,8 +162,11 @@ class hgweb(object):
                     raise ErrorResponse(HTTP_NOT_FOUND)
 
                 req.checkperm = lambda op: self.check_perm(req, op)
-                if cmd in perms:
-                    req.checkperm(perms[cmd])
+                # Assume commands with no defined permissions are writes /
+                # for pushes. This is the safest from a security perspective
+                # because it doesn't allow commands with undefined semantics
+                # from bypassing permissions checks.
+                req.checkperm(perms.get(cmd, 'push'))
                 return protocol.call(self.repo, req, cmd)
             except ErrorResponse, inst:
                 # A client that sends unbundle without 100-continue will

Places

File hg-CVE-2018-1000132.patch of Package mercurial.11266

Places