[PATCH 0 of 6] don't blindly trust .hg/hgrc files
Thomas Arendsen Hein
thomas at intevation.de
Thu Oct 26 17:34:40 UTC 2006
* Alexis S. L. Carvalho <alexis at cecm.usp.br> [20061018 07:57]:
> (patches also available at
> http://www.cecm.usp.br/~alexis/cgi-bin/hgwebdir.cgi/asak/
> )
Pushed to crew with some cosmetic modifications.
Additionally this patch was needed to keep the apache log small:
# HG changeset patch
# User Thomas Arendsen Hein <thomas at intevation.de>
# Date 1161883545 -7200
# Node ID f7dee427cd140345a232c3d5bec8bcae76d5e5b8
# Parent c3043ebe40a02af30db7fdebaa7513b96f39ce11
Turn of "Not trusting file" logging when running hgweb and hgwebdir
(hg serve still shows the warning)
diff -r c3043ebe40a0 -r f7dee427cd14 mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py Thu Oct 26 19:25:45 2006 +0200
+++ b/mercurial/hgweb/hgweb_mod.py Thu Oct 26 19:25:45 2006 +0200
@@ -69,7 +69,7 @@ class hgweb(object):
class hgweb(object):
def __init__(self, repo, name=None):
if type(repo) == type(""):
- self.repo = hg.repository(ui.ui(), repo)
+ self.repo = hg.repository(ui.ui(report_untrusted=False), repo)
else:
self.repo = repo
diff -r c3043ebe40a0 -r f7dee427cd14 mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py Thu Oct 26 19:25:45 2006 +0200
+++ b/mercurial/hgweb/hgwebdir_mod.py Thu Oct 26 19:25:45 2006 +0200
@@ -110,7 +110,7 @@ class hgwebdir(object):
rows = []
parity = 0
for name, path in self.repos:
- u = ui.ui()
+ u = ui.ui(report_untrusted=False)
try:
u.readconfig(os.path.join(path, '.hg', 'hgrc'))
except IOError:
diff -r c3043ebe40a0 -r f7dee427cd14 mercurial/ui.py
--- a/mercurial/ui.py Thu Oct 26 19:25:45 2006 +0200
+++ b/mercurial/ui.py Thu Oct 26 19:25:45 2006 +0200
@@ -26,7 +26,8 @@ def updateconfig(source, dest, sections=
class ui(object):
def __init__(self, verbose=False, debug=False, quiet=False,
- interactive=True, traceback=False, parentui=None):
+ interactive=True, traceback=False, report_untrusted=True,
+ parentui=None):
self.overlay = None
self.header = []
self.prev_header = []
@@ -39,6 +40,7 @@ class ui(object):
self.debugflag = debug
self.interactive = interactive
self.traceback = traceback
+ self.report_untrusted = report_untrusted
self.trusted_users = {}
self.trusted_groups = {}
# if ucdata is not None, its keys must be a superset of cdata's
@@ -98,7 +100,7 @@ class ui(object):
user = util.username(st.st_uid)
group = util.groupname(st.st_gid)
if user not in tusers and group not in tgroups:
- if warn:
+ if warn and self.report_untrusted:
self.warn(_('Not trusting file %s from untrusted '
'user %s, group %s\n') % (f, user, group))
return False
Thanks,
Thomas
--
Email: thomas at intevation.de
http://intevation.de/~thomas/
More information about the Mercurial-devel
mailing list