Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:8400
mercurial.openSUSE_Leap_42.3_Update
hg-r36754.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File hg-r36754.patch of Package mercurial.openSUSE_Leap_42.3_Update
# HG changeset patch # User Gregory Szorc <gregory.szorc@gmail.com> # Date 1519181667 28800 # Tue Feb 20 18:54:27 2018 -0800 # Branch stable # Node ID e3c228b4510db166179fbc3e8a15033adb3104aa # Parent 742ce6fbc109cc1d0944292e73fcaa1c7291b90d wireproto: declare operation type for most commands (BC) (SEC) The permissions model of hgweb relies on a dictionary to declare the operation associated with each command - either "pull" or "push." This dictionary was established by d3147b4e3e8a in 2008. Unfortunately, we neglected to update this dictionary as new wire protocol commands were introduced. This commit defines the operations of most wire protocol commands in the permissions dictionary. The "batch" command is omitted because it is special and requires a more complex solution. Since permissions checking is skipped unless a command has an entry in this dictionary (this security issue will be addressed in a subsequent commit), the practical effect of this change is that various wire protocol commands now HTTP 401 if web.deny_read or web.allow-pull, etc are set to deny access. This is reflected by test changes. Note how various `hg pull` and `hg push` operations now fail before discovery. (They fail during the initial "capabilities" request.) This change fixes a security issue where built-in wire protocol commands would return repository data even if the web config were configured to deny access to that data. I'm on the fence as to whether we should HTTP 401 the capabilities request. On one hand, it can expose repository metadata and can tell callers things like what version of Mercurial the server is running. On the other hand, a client may need to know the capabilities in order to authenticate in a follow-up request. It appears that Mercurial clients handle the HTTP 401 on *any* protocol request, so we should be OK sending a 401 for "capabilities." But if this causes problems, it should be possible to allow "capabilities" to always work. .. bc:: Various read-only wire protocol commands now return HTTP 401 Unauthorized if the hgweb configuration denies read/pull access to the repository. Previously, various wire protocol commands would still work and return data if read access was disabled. --- hgext/largefiles/uisetup.py | 1 + mercurial/wireproto.py | 10 ++++++++++ tests/test-largefiles-wireproto.t | 4 ++-- tests/test-pull-http.t | 2 -- 4 files changed, 13 insertions(+), 4 deletions(-) --- a/hgext/largefiles/uisetup.py +++ b/hgext/largefiles/uisetup.py @@ -179,6 +179,7 @@ def uisetup(ui): wireproto.permissions['putlfile'] = 'push' wireproto.permissions['getlfile'] = 'pull' wireproto.permissions['statlfile'] = 'pull' + wireproto.permissions['lheads'] = 'pull' extensions.wrapfunction(webcommands, 'decodepath', overrides.decodepath) --- a/mercurial/wireproto.py +++ b/mercurial/wireproto.py @@ -705,6 +705,7 @@ def batch(repo, proto, cmds, others): res.append(escapearg(result)) return ';'.join(res) +permissions['between'] = 'pull' @wireprotocommand('between', 'pairs') def between(repo, proto, pairs): pairs = [decodelist(p, '-') for p in pairs.split(" ")] @@ -713,6 +714,7 @@ def between(repo, proto, pairs): r.append(encodelist(b) + "\n") return "".join(r) +permissions['branchmap'] = 'pull' @wireprotocommand('branchmap') def branchmap(repo, proto): branchmap = repo.branchmap() @@ -723,6 +725,7 @@ def branchmap(repo, proto): heads.append('%s %s' % (branchname, branchnodes)) return '\n'.join(heads) +permissions['branches'] = 'pull' @wireprotocommand('branches', 'nodes') def branches(repo, proto, nodes): nodes = decodelist(nodes) @@ -731,6 +734,7 @@ def branches(repo, proto, nodes): r.append(encodelist(b) + "\n") return "".join(r) +permissions['clonebundles'] = 'pull' @wireprotocommand('clonebundles', '') def clonebundles(repo, proto): """Server command for returning info for available bundles to seed clones. @@ -793,6 +797,7 @@ def _capabilities(repo, proto): # If you are writing an extension and consider wrapping this function. Wrap # `_capabilities` instead. +permissions['capabilities'] = 'pull' @wireprotocommand('capabilities') def capabilities(repo, proto): return ' '.join(_capabilities(repo, proto)) @@ -812,6 +817,7 @@ def changegroupsubset(repo, proto, bases cg = changegroupmod.changegroupsubset(repo, bases, heads, 'serve') return streamres(reader=cg, v1compressible=True) +permissions['debugwireargs'] = 'pull' @wireprotocommand('debugwireargs', 'one two *') def debugwireargs(repo, proto, one, two, others): # only accept optional args from the known set @@ -867,11 +873,13 @@ def getbundle(repo, proto, others): return streamres(gen=bundler.getchunks(), v1compressible=True) return streamres(gen=chunks, v1compressible=True) +permissions['heads'] = 'pull' @wireprotocommand('heads') def heads(repo, proto): h = repo.heads() return encodelist(h) + "\n" +permissions['hello'] = 'pull' @wireprotocommand('hello') def hello(repo, proto): '''the hello command returns a set of lines describing various @@ -889,6 +897,7 @@ def listkeys(repo, proto, namespace): d = repo.listkeys(encoding.tolocal(namespace)).items() return pushkeymod.encodekeys(d) +permissions['lookup'] = 'pull' @wireprotocommand('lookup', 'key') def lookup(repo, proto, key): try: @@ -901,6 +910,7 @@ def lookup(repo, proto, key): success = 0 return "%s %s\n" % (success, r) +permissions['known'] = 'pull' @wireprotocommand('known', 'nodes *') def known(repo, proto, nodes, others): return ''.join(b and "1" or "0" for b in repo.known(decodelist(nodes))) --- a/tests/test-largefiles-wireproto.t +++ b/tests/test-largefiles-wireproto.t @@ -428,11 +428,11 @@ a large file from the server rather than > EOF $ hg clone --config ui.interactive=true --config extensions.getpass=get_pass.py \ > http://user@localhost:$HGPORT credentialclone - requesting all changes http authorization required for http://localhost:$HGPORT/ realm: mercurial user: user - password: adding changesets + password: requesting all changes + adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files --- a/tests/test-pull-http.t +++ b/tests/test-pull-http.t @@ -49,7 +49,6 @@ expect error, cloning not allowed $ hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log $ cat hg.pid >> $DAEMON_PIDS $ hg clone http://localhost:$HGPORT/ test4 # bundle2+ - requesting all changes abort: authorization failed [255] $ hg clone http://localhost:$HGPORT/ test4 --config devel.legacy.exchange=bundle1 @@ -73,7 +72,6 @@ expect error, pulling not allowed $ req pulling from http://localhost:$HGPORT/ - searching for changes abort: authorization failed % serve errors
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor