hgweb: access to `rawenv` (or `$REQUEST_URI`) within a template
Norman Gray
gray at nxg.name
Wed Jan 26 10:03:21 UTC 2022
Gregory, hello.
On 26 Jan 2022, at 2:34, Gregory Szorc wrote:
> Without looking at the code, I don't believe environment variables are
> exposed to the templating system.
I think you're right. In request.py, the environment is passed on to the parsedrequest() object in its rawenv parameter, but that is not, as far as I can see, used anywhere, nor made available to templates.
However the same parserequestfromenv method carefully extracts a selection of fragments of information from the context (in this context meaning both the process environment variables and the HTTP request) and makes it available to the application.
Perhaps my query would be better phrased more narrowly, as: is there any way of getting access to specifically (the content of) the REQUEST_URI CGI environment variable?
I had wondered if there was some non-obvious way of getting access to the rawenv array in a template. I couldn't find any way of doing so by looking through the code, but I'm not confident that I worked out all of the possibilities. Supported access to REQUEST_URI would be better than that, though.
> That could be a potential feature. However, in the context of the HTTP
> server and the hg server process it could be a security issue because the
> process may be running as a separate user and have access to
> privileged/secret environment variables. Anyone with the power to craft a
> templating string could exfiltrate secrets from the process. I'm unsure if
> the logic in my security assessment is sound. But my gut tells me this
> would be a dangerous feature to have.
I see where you're coming from.
I _think_ that would not be a risk, or not an obvious one, because the CGI environment is sanitised before the CGI-handling process sees it. But explicitness is better than implicitness in this sort of context, and I can see an in-principle argument for not relying on that sanitisation here.
However the CGI environment variables, such as REQUEST_URI, are specified and defined precisely because they _are_ useful in some cases.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
More information about the Mercurial-devel
mailing list