[issue778] hooks not run in hgwebdir, but works in global hgrc

Matt Mackall mpm at selenic.com
Fri Oct 12 23:42:19 UTC 2007


On Sat, Oct 13, 2007 at 09:09:38AM +1000, James Mills wrote:
> On Fri, Oct 12, 2007 at 11:15:16AM -0500, Matt Mackall wrote:
> > This is a security feature.
> > 
> > Mercurial doesn't trust most settings in hgrc files that are not owned
> > by the current user. If it did, Alice could add an extension to
> > .hg/hgrc that would steal Bob's data when Bob ran "hg log" in her
> > directory. Similar problems are possible with hooks as well.
> 
> How then do we get a hook working ?
> 
> I have apache running as the 'www' user
> with my hg repos in /data/hg/public/
> 
> My hook is in /data/hg/scripts/
> and is owned by root:root

But the important bit is: who owns the _config file_ where the hook is
specified? It must match the user running Mercurial.

-- 
Mathematics is the supreme nostalgia of our time.



More information about the Mercurial-devel mailing list