[PATCH 4 of 4 V2] hgweb: config option to blacklist some revset functions in hgweb search

Augie Fackler raf at durin42.com
Mon Aug 12 14:30:24 UTC 2013 

On Fri, Aug 09, 2013 at 10:54:58PM +0400, Alexander Plavin wrote:
> # HG changeset patch
> # User Alexander Plavin <alexander at plav.in>
> # Date 1374269558 -14400
> #      Sat Jul 20 01:32:38 2013 +0400
> # Node ID e495c742bf85e0aef4919c94f08effa6effd3695
> # Parent  80319cecf93938fb529984f4a2f5c105bcc709b1
> hgweb: config option to blacklist some revset functions in hgweb search
>
> This option defaults to ['contains'], as this is a heavy-weight function.
>
> diff -r 80319cecf939 -r e495c742bf85 mercurial/help/config.txt
> --- a/mercurial/help/config.txt	Wed Aug 07 01:16:14 2013 +0400
> +++ b/mercurial/help/config.txt	Sat Jul 20 01:32:38 2013 +0400
> @@ -1461,6 +1461,10 @@
>      Whether to require that inbound pushes be transported over SSL to
>      prevent password sniffing. Default is True.
>
> +``revsetblacklist``
> +    List of revset functions which are not allowed in search queries.
> +    Default is 'contains'.

Probably want to blacklist anything that does regexp matches too,
since we're not on re2.

> +
>  ``staticurl``
>      Base URL to use for static files. If unset, static files (e.g. the
>      hgicon.png favicon) will be served by the CGI script itself. Use
> diff -r 80319cecf939 -r e495c742bf85 mercurial/hgweb/webcommands.py
> --- a/mercurial/hgweb/webcommands.py	Wed Aug 07 01:16:14 2013 +0400
> +++ b/mercurial/hgweb/webcommands.py	Sat Jul 20 01:32:38 2013 +0400
> @@ -211,7 +211,11 @@
>              # can't parse to a tree
>              modename = 'kw'
>          else:
> -            if revset.depth(tree) > 2:
> +            funcsused = revset.funcsused(tree)
> +            blacklist = web.configlist('web', 'revsetblacklist', ['contains'])
> +            blacklist = set(blacklist)
> +
> +            if revset.depth(tree) > 2 and not funcsused & blacklist:
>                  mfunc = revset.match(None, revdef)
>                  try:
>                      # try running against empty subset
> @@ -224,7 +228,7 @@
>                      # can't run the revset query, e.g. some function misspelled
>                      modename = 'kw'
>              else:
> -                # no revset syntax used
> +                # no revset syntax used or blacklisted functions in the query
>                  modename = 'kw'
>
>      searchfunc = searchfuncs[modename]
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel

More information about the Mercurial-devel mailing list