[PATCH] httprepo: long arguments support (issue2126)

Sun Mar 27 22:51:37 UTC 2011

Op 28-3-2011 0:18, Laurens Holst schreef:
> Op 27-3-2011 11:21, Steven Brown schreef:
>> On 21 March 2011 22:54, Laurens Holst<laurens.nospam at grauw.nl>  wrote:
>>> Op 21-03-11 08:30, Dirkjan Ochtman schreef:
>>>> On Mon, Mar 21, 2011 at 02:39, Matt Mackall<mpm at selenic.com>    wrote:
>>>>> Let's try to get more discussion on whether POST is acceptable and
>>>>> anyone is using POST filtering.
>>>> AFAICT restricting push access by filtering out POST requests is a
>>>> fairly common setup.
>>> Yes I do that too, it was the setup described on the wiki. And fairly
>>> convenient I must say (and properly RESTful :)).
>>>
>>> ~Laurens
>>>
>> It would still be possible to authenticate on push like this:
>>
>> RewriteEngine on
>> RewriteCond %{QUERY_STRING} cmd=unbundle
>> RewriteRule .* - [E=hg_auth:1]
>>
>> <Location /hg>
>>      Order Allow,Deny
>>      Allow from env=!hg_auth
>>      AuthType Basic
>>      AuthName "Mercurial repositories"
>>      AuthUserFile /home/user/hg/hgusers
>>      Require valid-user
>>      Satisfy Any
>> </Location>
>
> If I understand this correctly, you’re basically saying, POST is not 
> authenticated unless it’s an unbundle command?
>
> I don’t think this is good. This means that if you want to add a new 
> command that alters the server, all users would have to update their 
> servers or they would be insecure. Effectively this means that you 
> can’t add new commands, and you’re putting a severe restriction on 
> Mercurial’s future extensibility.

Also it is relatively easy to introduce actual security problems: what 
if the server configuration doesn’t decode the query strings before 
processing but Python or Mercurial does, I could easily unbundle without 
getting authenticated by writing cmd=un%62undle. Or, maybe the server 
does a case-sensitive match while Mercurial does an insensitive one? 
cmd=unBundle. Are the key or value names trimmed? cmd%20=%20unbundle. 
Null characters treated specially? cmd%00=%00unbundle.

Lots of edge cases. Are you sure you can cover them all? Maybe by 
looking at the Mercurial code and doing a bunch of experiments you can 
provide a well-tested Apache configuration, but what if people need to 
make modifications, or have a different server technology and need to 
create their own authentication rules…

Just trying to illustrate why I think this looks like a bit of bad idea 
to me :).

~Laurens

-- 
~~ Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~
Laurens Holst, developer, Utrecht, the Netherlands
Website: www.grauw.nl. Backbase employee; www.backbase.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6034 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-devel/attachments/20110328/d926b674/attachment.p7s>