File CVE-2017-1000116-0001.patch of Package mercurial.5472

# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1501074615 -32400
#      Wed Jul 26 22:10:15 2017 +0900
# Branch stable
# Node ID 20bac46f7744494507a0dde8dd606b440d9df439
# Parent  0134d839444b47a5fd297cced69e86fba7c81a16
pathauditor: disable cache of audited paths by default (issue5628)

The initial attempt was to discard cache when appropriate, but it appears
to be error prone. We had to carefully inspect all places where audit() is
called e.g. without actually updating filesystem, before removing files and
directories, etc.

So, this patch disables the cache of audited paths by default, and enables
it only for the following cases:

 - short-lived auditor objects
 - repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories
   and considered sort of append-only (a file/directory would never be
   replaced with a symlink)

There would be more cacheable vfs objects (e.g. mq.queue.opener), but I
decided not to inspect all of them in this patch. We can make them cached
later.

Benchmark result:

- using old clone of http://selenic.com/repo/linux-2.6/ (38319 files)
- on tmpfs
- run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null
- try 4 times and take the last three results

original:
real 7.480 secs (user 1.140+22.760 sys 0.150+1.690)
real 8.010 secs (user 1.070+22.280 sys 0.170+2.120)
real 7.470 secs (user 1.120+22.390 sys 0.120+1.910)

clearcache (the other series):
real 7.680 secs (user 1.120+23.420 sys 0.140+1.970)
real 7.670 secs (user 1.110+23.620 sys 0.130+1.810)
real 7.740 secs (user 1.090+23.510 sys 0.160+1.940)

enable cache only for vfs and svfs (this series):
real 8.730 secs (user 1.500+25.190 sys 0.260+2.260)
real 8.750 secs (user 1.490+25.170 sys 0.250+2.340)
real 9.010 secs (user 1.680+25.340 sys 0.280+2.540)

remove cache function at all (for reference):
real 9.620 secs (user 1.440+27.120 sys 0.250+2.980)
real 9.420 secs (user 1.400+26.940 sys 0.320+3.130)
real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)

---
 mercurial/cmdutil.py   |    2 +-
 mercurial/dirstate.py  |    2 +-
 mercurial/localrepo.py |    6 ++++--
 mercurial/scmutil.py   |   28 ++++++++++++++++++++--------
 4 files changed, 26 insertions(+), 12 deletions(-)

--- a/mercurial/cmdutil.py
+++ b/mercurial/cmdutil.py
@@ -2063,7 +2063,7 @@ def revert(ui, repo, ctx, parents, *pats
                 fc = ctx[f]
                 repo.wwrite(f, fc.data(), fc.flags())
 
-            audit_path = scmutil.pathauditor(repo.root)
+            audit_path = scmutil.pathauditor(repo.root, cached=True)
             for f in remove[0]:
                 if repo.dirstate[f] == 'a':
                     repo.dirstate.drop(f)
--- a/mercurial/dirstate.py
+++ b/mercurial/dirstate.py
@@ -736,7 +736,7 @@ class dirstate(object):
                 # unknown == True means we walked the full directory tree above.
                 # So if a file is not seen it was either a) not matching matchfn
                 # b) ignored, c) missing, or d) under a symlink directory.
-                audit_path = scmutil.pathauditor(self._root)
+                audit_path = scmutil.pathauditor(self._root, cached=True)
 
                 for nf in iter(visit):
                     # Report ignored items in the dmap as long as they are not
--- a/mercurial/localrepo.py
+++ b/mercurial/localrepo.py
@@ -167,7 +167,7 @@ class localrepository(object):
         self.path = self.wvfs.join(".hg")
         self.origroot = path
         self.auditor = scmutil.pathauditor(self.root, self._checknested)
-        self.vfs = scmutil.vfs(self.path)
+        self.vfs = scmutil.vfs(self.path, cacheaudited=True)
         self.opener = self.vfs
         self.baseui = baseui
         self.ui = baseui.copy()
@@ -238,7 +238,9 @@ class localrepository(object):
             if inst.errno != errno.ENOENT:
                 raise
 
-        self.store = store.store(requirements, self.sharedpath, scmutil.vfs)
+        self.store = store.store(
+            requirements, self.sharedpath,
+            lambda base: scmutil.vfs(base, cacheaudited=True))
         self.spath = self.store.path
         self.svfs = self.store.vfs
         self.sopener = self.svfs
--- a/mercurial/scmutil.py
+++ b/mercurial/scmutil.py
@@ -118,12 +118,17 @@ class pathauditor(object):
     - traverses a symlink (e.g. a/symlink_here/b)
     - inside a nested repository (a callback can be used to approve
       some nested repositories, e.g., subrepositories)
+
+    If 'cached' is set to True, audited paths and sub-directories are cached.
+    Be careful to not keep the cache of unmanaged directories for long because
+    audited paths may be replaced with symlinks.
     '''
 
-    def __init__(self, root, callback=None):
+    def __init__(self, root, callback=None, cached=False):
         self.audited = set()
         self.auditeddir = set()
         self.root = root
+        self._cached = cached
         self.callback = callback
         if os.path.lexists(root) and not util.checkcase(root):
             self.normcase = util.normcase
@@ -189,10 +194,11 @@ class pathauditor(object):
             parts.pop()
             normparts.pop()
 
-        self.audited.add(normpath)
-        # only add prefixes to the cache after checking everything: we don't
-        # want to add "foo/bar/baz" before checking if there's a "foo/.hg"
-        self.auditeddir.update(prefixes)
+        if self._cached:
+            self.audited.add(normpath)
+            # only add prefixes to the cache after checking everything: we don't
+            # want to add "foo/bar/baz" before checking if there's a "foo/.hg"
+            self.auditeddir.update(prefixes)
 
     def check(self, path):
         try:
@@ -292,13 +298,19 @@ class vfs(abstractvfs):
 
     This class is used to hide the details of COW semantics and
     remote file access from higher level code.
+
+    'cacheaudited' should be enabled only if (a) vfs object is short-lived, or
+    (b) the base directory is managed by hg and considered sort-of append-only.
+    See pathutil.pathauditor() for details.
     '''
-    def __init__(self, base, audit=True, expandpath=False, realpath=False):
+    def __init__(self, base, audit=True, cacheaudited=False, expandpath=False,
+                 realpath=False):
         if expandpath:
             base = util.expandpath(base)
         if realpath:
             base = os.path.realpath(base)
         self.base = base
+        self._cacheaudited = cacheaudited
         self._setmustaudit(audit)
         self.createmode = None
         self._trustnlink = None
@@ -309,7 +321,7 @@ class vfs(abstractvfs):
     def _setmustaudit(self, onoff):
         self._audit = onoff
         if onoff:
-            self.audit = pathauditor(self.base)
+            self.audit = pathauditor(self.base, cached=self._cacheaudited)
         else:
             self.audit = util.always
 
@@ -767,7 +779,7 @@ def _interestingfiles(repo, matcher):
     This is different from dirstate.status because it doesn't care about
     whether files are modified or clean.'''
     added, unknown, deleted, removed = [], [], [], []
-    audit_path = pathauditor(repo.root)
+    audit_path = pathauditor(repo.root, cached=True)
 
     ctx = repo[None]
     dirstate = repo.dirstate