Mercurial > kallithea

changeset 7398:ba444b73e01a stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hg: make protocol access control more explicit Enumerate all currently known commands, and default to require 'push' access for all unknown commands. This change mitigates some privilege escalation problems like CVE-2018-1000132 which was fixed in Mercurial 4.5.1 and currently is described on https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 .
author Mads Kiilerich <mads@kiilerich.com>
date Sun, 21 Oct 2018 15:19:56 +0200
parents 3ee4ac068369
children ea46ff2a9404
files kallithea/lib/middleware/simplehg.py
diffstat 1 files changed, 31 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/middleware/simplehg.py	Sun Oct 21 15:18:43 2018 +0200
+++ b/kallithea/lib/middleware/simplehg.py	Sun Oct 21 15:19:56 2018 +0200
@@ -287,12 +287,35 @@
 
         :param environ:
         """
-        mapping = {'changegroup': 'pull',
-                   'changegroupsubset': 'pull',
-                   'stream_out': 'pull',
-                   'listkeys': 'pull',
-                   'unbundle': 'push',
-                   'pushkey': 'push', }
+        mapping = {
+            # 'batch' is not in this list - it is handled explicitly
+            'between': 'pull',
+            'branches': 'pull',
+            'branchmap': 'pull',
+            'capabilities': 'pull',
+            'changegroup': 'pull',
+            'changegroupsubset': 'pull',
+            'changesetdata': 'pull',
+            'clonebundles': 'pull',
+            'debugwireargs': 'pull',
+            'filedata': 'pull',
+            'getbundle': 'pull',
+            'getlfile': 'pull',
+            'heads': 'pull',
+            'hello': 'pull',
+            'known': 'pull',
+            'lheads': 'pull',
+            'listkeys': 'pull',
+            'lookup': 'pull',
+            'manifestdata': 'pull',
+            'narrow_widen': 'pull',
+            'protocaps': 'pull',
+            'statlfile': 'pull',
+            'stream_out': 'pull',
+            'pushkey': 'push',
+            'putlfile': 'push',
+            'unbundle': 'push',
+            }
         for qry in environ['QUERY_STRING'].split('&'):
             parts = qry.split('=', 1)
             if len(parts) == 2 and parts[0] == 'cmd':
@@ -303,12 +326,12 @@
                         return 'push' # paranoid and safe
                     for cmd_arg in hgarg[5:].split(';'):
                         cmd, _args = urllib.unquote_plus(cmd_arg).split(' ', 1)
-                        op = mapping.get(cmd, 'pull')
+                        op = mapping.get(cmd, 'push')
                         if op != 'pull':
                             assert op == 'push'
                             return 'push'
                     return 'pull'
-                return mapping.get(cmd, 'pull')
+                return mapping.get(cmd, 'push')
 
         raise Exception('Unable to detect pull/push action !!'
                         'Are you using non standard command or client ?')