Mercurial > kallithea
changeset 7398:ba444b73e01a stable
hg: make protocol access control more explicit
Enumerate all currently known commands, and default to require 'push' access
for all unknown commands.
This change mitigates some privilege escalation problems like CVE-2018-1000132
which was fixed in Mercurial 4.5.1 and currently is described on
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 .
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Sun, 21 Oct 2018 15:19:56 +0200 |
parents | 3ee4ac068369 |
children | ea46ff2a9404 |
files | kallithea/lib/middleware/simplehg.py |
diffstat | 1 files changed, 31 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/middleware/simplehg.py Sun Oct 21 15:18:43 2018 +0200 +++ b/kallithea/lib/middleware/simplehg.py Sun Oct 21 15:19:56 2018 +0200 @@ -287,12 +287,35 @@ :param environ: """ - mapping = {'changegroup': 'pull', - 'changegroupsubset': 'pull', - 'stream_out': 'pull', - 'listkeys': 'pull', - 'unbundle': 'push', - 'pushkey': 'push', } + mapping = { + # 'batch' is not in this list - it is handled explicitly + 'between': 'pull', + 'branches': 'pull', + 'branchmap': 'pull', + 'capabilities': 'pull', + 'changegroup': 'pull', + 'changegroupsubset': 'pull', + 'changesetdata': 'pull', + 'clonebundles': 'pull', + 'debugwireargs': 'pull', + 'filedata': 'pull', + 'getbundle': 'pull', + 'getlfile': 'pull', + 'heads': 'pull', + 'hello': 'pull', + 'known': 'pull', + 'lheads': 'pull', + 'listkeys': 'pull', + 'lookup': 'pull', + 'manifestdata': 'pull', + 'narrow_widen': 'pull', + 'protocaps': 'pull', + 'statlfile': 'pull', + 'stream_out': 'pull', + 'pushkey': 'push', + 'putlfile': 'push', + 'unbundle': 'push', + } for qry in environ['QUERY_STRING'].split('&'): parts = qry.split('=', 1) if len(parts) == 2 and parts[0] == 'cmd': @@ -303,12 +326,12 @@ return 'push' # paranoid and safe for cmd_arg in hgarg[5:].split(';'): cmd, _args = urllib.unquote_plus(cmd_arg).split(' ', 1) - op = mapping.get(cmd, 'pull') + op = mapping.get(cmd, 'push') if op != 'pull': assert op == 'push' return 'push' return 'pull' - return mapping.get(cmd, 'pull') + return mapping.get(cmd, 'push') raise Exception('Unable to detect pull/push action !!' 'Are you using non standard command or client ?')