File CVE-2017-1000116-0001.patch of Package mercurial.8018
# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1501074615 -32400
# Wed Jul 26 22:10:15 2017 +0900
# Branch stable
# Node ID 20bac46f7744494507a0dde8dd606b440d9df439
# Parent 0134d839444b47a5fd297cced69e86fba7c81a16
pathauditor: disable cache of audited paths by default (issue5628)
The initial attempt was to discard cache when appropriate, but it appears
to be error prone. We had to carefully inspect all places where audit() is
called e.g. without actually updating filesystem, before removing files and
directories, etc.
So, this patch disables the cache of audited paths by default, and enables
it only for the following cases:
- short-lived auditor objects
- repo.vfs, repo.svfs, and repo.cachevfs, which are managed directories
and considered sort of append-only (a file/directory would never be
replaced with a symlink)
There would be more cacheable vfs objects (e.g. mq.queue.opener), but I
decided not to inspect all of them in this patch. We can make them cached
later.
Benchmark result:
- using old clone of http://selenic.com/repo/linux-2.6/ (38319 files)
- on tmpfs
- run HGRCPATH=/dev/null hg up -q --time tip && hg up -q null
- try 4 times and take the last three results
original:
real 7.480 secs (user 1.140+22.760 sys 0.150+1.690)
real 8.010 secs (user 1.070+22.280 sys 0.170+2.120)
real 7.470 secs (user 1.120+22.390 sys 0.120+1.910)
clearcache (the other series):
real 7.680 secs (user 1.120+23.420 sys 0.140+1.970)
real 7.670 secs (user 1.110+23.620 sys 0.130+1.810)
real 7.740 secs (user 1.090+23.510 sys 0.160+1.940)
enable cache only for vfs and svfs (this series):
real 8.730 secs (user 1.500+25.190 sys 0.260+2.260)
real 8.750 secs (user 1.490+25.170 sys 0.250+2.340)
real 9.010 secs (user 1.680+25.340 sys 0.280+2.540)
remove cache function at all (for reference):
real 9.620 secs (user 1.440+27.120 sys 0.250+2.980)
real 9.420 secs (user 1.400+26.940 sys 0.320+3.130)
real 9.760 secs (user 1.530+27.270 sys 0.250+2.970)
---
mercurial/cmdutil.py | 2 +-
mercurial/dirstate.py | 2 +-
mercurial/localrepo.py | 6 ++++--
mercurial/scmutil.py | 28 ++++++++++++++++++++--------
4 files changed, 26 insertions(+), 12 deletions(-)
--- a/mercurial/cmdutil.py
+++ b/mercurial/cmdutil.py
@@ -2063,7 +2063,7 @@ def revert(ui, repo, ctx, parents, *pats
fc = ctx[f]
repo.wwrite(f, fc.data(), fc.flags())
- audit_path = scmutil.pathauditor(repo.root)
+ audit_path = scmutil.pathauditor(repo.root, cached=True)
for f in remove[0]:
if repo.dirstate[f] == 'a':
repo.dirstate.drop(f)
--- a/mercurial/dirstate.py
+++ b/mercurial/dirstate.py
@@ -736,7 +736,7 @@ class dirstate(object):
# unknown == True means we walked the full directory tree above.
# So if a file is not seen it was either a) not matching matchfn
# b) ignored, c) missing, or d) under a symlink directory.
- audit_path = scmutil.pathauditor(self._root)
+ audit_path = scmutil.pathauditor(self._root, cached=True)
for nf in iter(visit):
# Report ignored items in the dmap as long as they are not
--- a/mercurial/localrepo.py
+++ b/mercurial/localrepo.py
@@ -167,7 +167,7 @@ class localrepository(object):
self.path = self.wvfs.join(".hg")
self.origroot = path
self.auditor = scmutil.pathauditor(self.root, self._checknested)
- self.vfs = scmutil.vfs(self.path)
+ self.vfs = scmutil.vfs(self.path, cacheaudited=True)
self.opener = self.vfs
self.baseui = baseui
self.ui = baseui.copy()
@@ -238,7 +238,9 @@ class localrepository(object):
if inst.errno != errno.ENOENT:
raise
- self.store = store.store(requirements, self.sharedpath, scmutil.vfs)
+ self.store = store.store(
+ requirements, self.sharedpath,
+ lambda base: scmutil.vfs(base, cacheaudited=True))
self.spath = self.store.path
self.svfs = self.store.vfs
self.sopener = self.svfs
--- a/mercurial/scmutil.py
+++ b/mercurial/scmutil.py
@@ -118,12 +118,17 @@ class pathauditor(object):
- traverses a symlink (e.g. a/symlink_here/b)
- inside a nested repository (a callback can be used to approve
some nested repositories, e.g., subrepositories)
+
+ If 'cached' is set to True, audited paths and sub-directories are cached.
+ Be careful to not keep the cache of unmanaged directories for long because
+ audited paths may be replaced with symlinks.
'''
- def __init__(self, root, callback=None):
+ def __init__(self, root, callback=None, cached=False):
self.audited = set()
self.auditeddir = set()
self.root = root
+ self._cached = cached
self.callback = callback
if os.path.lexists(root) and not util.checkcase(root):
self.normcase = util.normcase
@@ -189,10 +194,11 @@ class pathauditor(object):
parts.pop()
normparts.pop()
- self.audited.add(normpath)
- # only add prefixes to the cache after checking everything: we don't
- # want to add "foo/bar/baz" before checking if there's a "foo/.hg"
- self.auditeddir.update(prefixes)
+ if self._cached:
+ self.audited.add(normpath)
+ # only add prefixes to the cache after checking everything: we don't
+ # want to add "foo/bar/baz" before checking if there's a "foo/.hg"
+ self.auditeddir.update(prefixes)
def check(self, path):
try:
@@ -292,13 +298,19 @@ class vfs(abstractvfs):
This class is used to hide the details of COW semantics and
remote file access from higher level code.
+
+ 'cacheaudited' should be enabled only if (a) vfs object is short-lived, or
+ (b) the base directory is managed by hg and considered sort-of append-only.
+ See pathutil.pathauditor() for details.
'''
- def __init__(self, base, audit=True, expandpath=False, realpath=False):
+ def __init__(self, base, audit=True, cacheaudited=False, expandpath=False,
+ realpath=False):
if expandpath:
base = util.expandpath(base)
if realpath:
base = os.path.realpath(base)
self.base = base
+ self._cacheaudited = cacheaudited
self._setmustaudit(audit)
self.createmode = None
self._trustnlink = None
@@ -309,7 +321,7 @@ class vfs(abstractvfs):
def _setmustaudit(self, onoff):
self._audit = onoff
if onoff:
- self.audit = pathauditor(self.base)
+ self.audit = pathauditor(self.base, cached=self._cacheaudited)
else:
self.audit = util.always
@@ -767,7 +779,7 @@ def _interestingfiles(repo, matcher):
This is different from dirstate.status because it doesn't care about
whether files are modified or clean.'''
added, unknown, deleted, removed = [], [], [], []
- audit_path = pathauditor(repo.root)
+ audit_path = pathauditor(repo.root, cached=True)
ctx = repo[None]
dirstate = repo.dirstate
