[PATCH 4 of 4 V2] hgweb: config option to blacklist some revset functions in hgweb search

Alexander Plavin alexander at plav.in
Mon Aug 12 18:21:04 UTC 2013 


12.08.2013, 18:30, "Augie Fackler" <raf at durin42.com>:
> On Fri, Aug 09, 2013 at 10:54:58PM +0400, Alexander Plavin wrote:
>
>>  # HG changeset patch
>>  # User Alexander Plavin <alexander at plav.in>
>>  # Date 1374269558 -14400
>>  #      Sat Jul 20 01:32:38 2013 +0400
>>  # Node ID e495c742bf85e0aef4919c94f08effa6effd3695
>>  # Parent  80319cecf93938fb529984f4a2f5c105bcc709b1
>>  hgweb: config option to blacklist some revset functions in hgweb search
>>
>>  This option defaults to ['contains'], as this is a heavy-weight function.
>>
>>  diff -r 80319cecf939 -r e495c742bf85 mercurial/help/config.txt
>>  --- a/mercurial/help/config.txt Wed Aug 07 01:16:14 2013 +0400
>>  +++ b/mercurial/help/config.txt Sat Jul 20 01:32:38 2013 +0400
>>  @@ -1461,6 +1461,10 @@
>>       Whether to require that inbound pushes be transported over SSL to
>>       prevent password sniffing. Default is True.
>>
>>  +``revsetblacklist``
>>  +    List of revset functions which are not allowed in search queries.
>>  +    Default is 'contains'.
>
> Probably want to blacklist anything that does regexp matches too,
> since we're not on re2.

As I understand, blacklisting grep function and also 're:' prefix for others? I can see two ways to do this: pass an argument somehow to revset._stringmatcher function to switch off 're:' prefix check, or just replacing '\(\s+re:' with '(literal:re:' in the query string. The first methods seems more robust of course. Am I correct here?

Btw, nice library re2, didn't see it before :)

>
>>  +
>>   ``staticurl``
>>       Base URL to use for static files. If unset, static files (e.g. the
>>       hgicon.png favicon) will be served by the CGI script itself. Use
>>  diff -r 80319cecf939 -r e495c742bf85 mercurial/hgweb/webcommands.py
>>  --- a/mercurial/hgweb/webcommands.py Wed Aug 07 01:16:14 2013 +0400
>>  +++ b/mercurial/hgweb/webcommands.py Sat Jul 20 01:32:38 2013 +0400
>>  @@ -211,7 +211,11 @@
>>               # can't parse to a tree
>>               modename = 'kw'
>>           else:
>>  -            if revset.depth(tree) > 2:
>>  +            funcsused = revset.funcsused(tree)
>>  +            blacklist = web.configlist('web', 'revsetblacklist', ['contains'])
>>  +            blacklist = set(blacklist)
>>  +
>>  +            if revset.depth(tree) > 2 and not funcsused & blacklist:
>>                   mfunc = revset.match(None, revdef)
>>                   try:
>>                       # try running against empty subset
>>  @@ -224,7 +228,7 @@
>>                       # can't run the revset query, e.g. some function misspelled
>>                       modename = 'kw'
>>               else:
>>  -                # no revset syntax used
>>  +                # no revset syntax used or blacklisted functions in the query
>>                   modename = 'kw'
>>
>>       searchfunc = searchfuncs[modename]
>>  _______________________________________________
>>  Mercurial-devel mailing list
>>  Mercurial-devel at selenic.com
>>  http://selenic.com/mailman/listinfo/mercurial-devel

More information about the Mercurial-devel mailing list