File hg-r36754.patch of Package mercurial.7061

Overview Repositories Revisions Requests Users Attributes Meta

File hg-r36754.patch of Package mercurial.7061

# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1519181667 28800
#      Tue Feb 20 18:54:27 2018 -0800
# Branch stable
# Node ID e3c228b4510db166179fbc3e8a15033adb3104aa
# Parent  742ce6fbc109cc1d0944292e73fcaa1c7291b90d
wireproto: declare operation type for most commands (BC) (SEC)

The permissions model of hgweb relies on a dictionary to declare
the operation associated with each command - either "pull" or
"push." This dictionary was established by d3147b4e3e8a in 2008.
Unfortunately, we neglected to update this dictionary as new
wire protocol commands were introduced.

This commit defines the operations of most wire protocol commands
in the permissions dictionary. The "batch" command is omitted because
it is special and requires a more complex solution.

Since permissions checking is skipped unless a command has an entry in
this dictionary (this security issue will be addressed in a subsequent
commit), the practical effect of this change is that various wire
protocol commands now HTTP 401 if web.deny_read or web.allow-pull,
etc are set to deny access. This is reflected by test changes. Note
how various `hg pull` and `hg push` operations now fail before
discovery. (They fail during the initial "capabilities" request.)

This change fixes a security issue where built-in wire protocol
commands would return repository data even if the web config were
configured to deny access to that data.

I'm on the fence as to whether we should HTTP 401 the capabilities
request. On one hand, it can expose repository metadata and can tell
callers things like what version of Mercurial the server is running.
On the other hand, a client may need to know the capabilities in order
to authenticate in a follow-up request. It appears that Mercurial
clients handle the HTTP 401 on *any* protocol request, so we should
be OK sending a 401 for "capabilities." But if this causes problems,
it should be possible to allow "capabilities" to always work.

.. bc::

Various read-only wire protocol commands now return HTTP 401
   Unauthorized if the hgweb configuration denies read/pull access to
   the repository.

Previously, various wire protocol commands would still work and
   return data if read access was disabled.

---
 hgext/largefiles/uisetup.py |    1 +
 mercurial/wireproto.py      |    8 ++++++++
 2 files changed, 9 insertions(+)

--- a/hgext/largefiles/uisetup.py
+++ b/hgext/largefiles/uisetup.py
@@ -137,6 +137,7 @@ def uisetup(ui):
     wireproto.permissions['putlfile'] = 'push'
     wireproto.permissions['getlfile'] = 'pull'
     wireproto.permissions['statlfile'] = 'pull'
+    wireproto.permissions['lheads'] = 'pull'
 
     extensions.wrapfunction(webcommands, 'decodepath', overrides.decodepath)
 
--- a/mercurial/wireproto.py
+++ b/mercurial/wireproto.py
@@ -669,10 +669,18 @@ commands = {
     'unbundle': (unbundle, 'heads'),
 }
 
+permissions['between'] = 'pull'
+permissions['branches'] = 'pull'
+permissions['capabilities'] = 'pull'
 permissions['changegroup'] = 'pull'
 permissions['changegroupsubset'] = 'pull'
+permissions['debugwireargs'] = 'pull'
 permissions['getbundle'] = 'pull'
+permissions['known'] = 'pull'
+permissions['heads'] = 'pull'
+permissions['hello'] = 'pull'
 permissions['listkeys'] = 'pull'
+permissions['lookup'] = 'pull'
 permissions['pushkey'] = 'push'
 permissions['stream_out'] = 'pull'
 permissions['unbundle'] = 'push'

Places

File hg-r36754.patch of Package mercurial.7061

Places