[Request] [+ ] D10905: stream: double check that self.vfs is *not* in the vfsmap

marmoute (Pierre-Yves David) phabricator at mercurial-scm.org
Thu Jun 24 07:14:48 UTC 2021


marmoute created this revision.
Herald added a reviewer: hg-reviewers.
Herald added a subscriber: mercurial-patches.

REVISION SUMMARY
  The stream clone logic allows for writing any content to any file under various
  vfs. This is *not* suitable for *vfs*, since writing in `.hg/` directly allow to
  modify the configuration and is a great and simple gateway for remote code
  execution.

REPOSITORY
  rHG Mercurial

BRANCH
  stable

REVISION DETAIL
  https://phab.mercurial-scm.org/D10905

AFFECTED FILES
  mercurial/streamclone.py

CHANGE DETAILS

diff --git a/mercurial/streamclone.py b/mercurial/streamclone.py
--- a/mercurial/streamclone.py
+++ b/mercurial/streamclone.py
@@ -560,6 +560,12 @@
 def _emit2(repo, entries, totalfilesize):
     """actually emit the stream bundle"""
     vfsmap = _makemap(repo)
+    # we keep repo.vfs out of the on purpose, ther are too many danger there
+    # (eg: .hg/hgrc),
+    #
+    # this assert is duplicated (from _makemap) as author might think this is
+    # fine, while this is really not fine.
+    assert repo.vfs not in vfsmap.values()
     progress = repo.ui.makeprogress(
         _(b'bundle'), total=totalfilesize, unit=_(b'bytes')
     )
@@ -685,6 +691,12 @@
         progress.update(0)
 
         vfsmap = _makemap(repo)
+        # we keep repo.vfs out of the on purpose, ther are too many danger
+        # there (eg: .hg/hgrc),
+        #
+        # this assert is duplicated (from _makemap) as author might think this
+        # is fine, while this is really not fine.
+        assert repo.vfs not in vfsmap.values()
 
         with repo.transaction(b'clone'):
             ctxs = (vfs.backgroundclosing(repo.ui) for vfs in vfsmap.values())



To: marmoute, #hg-reviewers
Cc: mercurial-patches, mercurial-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mercurial-scm.org/pipermail/mercurial-patches/attachments/20210624/0d410368/attachment-0001.html>


More information about the Mercurial-patches mailing list