Mercurial > hg-stable

diff mercurial/hgweb/hgweb_mod.py @ 37096:db114320df7e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: don't responsd to api requests unless feature is enabled Per discussion at https://phab.mercurial-scm.org/D2834, new URLs in hgweb can conflict with subrepos and virtual repos. This may prevent access to repos in certain paths or having certain names. Until we have a workaround for this, let's not serve requests for "api/" URLs unless the feature is enabled. Differential Revision: https://phab.mercurial-scm.org/D2936
author Gregory Szorc <gregory.szorc@gmail.com>
date Fri, 23 Mar 2018 11:20:13 -0700
parents 1cfef5693203
children 307ee8883975
line wrap: on
line diff
--- a/mercurial/hgweb/hgweb_mod.py	Fri Mar 23 11:20:49 2018 -0700
+++ b/mercurial/hgweb/hgweb_mod.py	Fri Mar 23 11:20:13 2018 -0700
@@ -321,8 +321,11 @@
             res.headers['Content-Security-Policy'] = rctx.csp
 
         # /api/* is reserved for various API implementations. Dispatch
-        # accordingly.
-        if req.dispatchparts and req.dispatchparts[0] == b'api':
+        # accordingly. But URL paths can conflict with subrepos and virtual
+        # repos in hgwebdir. So until we have a workaround for this, only
+        # expose the URLs if the feature is enabled.
+        apienabled = rctx.repo.ui.configbool('experimental', 'web.apiserver')
+        if apienabled and req.dispatchparts and req.dispatchparts[0] == b'api':
             wireprotoserver.handlewsgiapirequest(rctx, req, res,
                                                  self.check_perm)
             return res.sendresponse()