Mercurial > hg-stable

view tests/test-parseindex.t @ 29560:303e9300772a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections.
author Gregory Szorc <gregory.szorc@gmail.com>
date Wed, 13 Jul 2016 21:35:54 -0700
parents df41c7be16d6
children 21fa3d3688f3
line wrap: on
line source

revlog.parseindex must be able to parse the index file even if
an index entry is split between two 64k blocks.  The ideal test
would be to create an index file with inline data where
64k < size < 64k + 64 (64k is the size of the read buffer, 64 is
the size of an index entry) and with an index entry starting right
before the 64k block boundary, and try to read it.
We approximate that by reducing the read buffer to 1 byte.

  $ hg init a
  $ cd a
  $ echo abc > foo
  $ hg add foo
  $ hg commit -m 'add foo'
  $ echo >> foo
  $ hg commit -m 'change foo'
  $ hg log -r 0:
  changeset:   0:7c31755bf9b5
  user:        test
  date:        Thu Jan 01 00:00:00 1970 +0000
  summary:     add foo
  
  changeset:   1:26333235a41c
  tag:         tip
  user:        test
  date:        Thu Jan 01 00:00:00 1970 +0000
  summary:     change foo
  
  $ cat >> test.py << EOF
  > from mercurial import changelog, scmutil
  > from mercurial.node import *
  > 
  > class singlebyteread(object):
  >     def __init__(self, real):
  >         self.real = real
  > 
  >     def read(self, size=-1):
  >         if size == 65536:
  >             size = 1
  >         return self.real.read(size)
  > 
  >     def __getattr__(self, key):
  >         return getattr(self.real, key)
  > 
  > def opener(*args):
  >     o = scmutil.opener(*args)
  >     def wrapper(*a):
  >         f = o(*a)
  >         return singlebyteread(f)
  >     return wrapper
  > 
  > cl = changelog.changelog(opener('.hg/store'))
  > print len(cl), 'revisions:'
  > for r in cl:
  >     print short(cl.node(r))
  > EOF
  $ python test.py
  2 revisions:
  7c31755bf9b5
  26333235a41c

  $ cd ..

#if no-pure

Test SEGV caused by bad revision passed to reachableroots() (issue4775):

  $ cd a

  $ python <<EOF
  > from mercurial import changelog, scmutil
  > cl = changelog.changelog(scmutil.vfs('.hg/store'))
  > print 'good heads:'
  > for head in [0, len(cl) - 1, -1]:
  >     print'%s: %r' % (head, cl.reachableroots(0, [head], [0]))
  > print 'bad heads:'
  > for head in [len(cl), 10000, -2, -10000, None]:
  >     print '%s:' % head,
  >     try:
  >         cl.reachableroots(0, [head], [0])
  >         print 'uncaught buffer overflow?'
  >     except (IndexError, TypeError) as inst:
  >         print inst
  > print 'good roots:'
  > for root in [0, len(cl) - 1, -1]:
  >     print '%s: %r' % (root, cl.reachableroots(root, [len(cl) - 1], [root]))
  > print 'out-of-range roots are ignored:'
  > for root in [len(cl), 10000, -2, -10000]:
  >     print '%s: %r' % (root, cl.reachableroots(root, [len(cl) - 1], [root]))
  > print 'bad roots:'
  > for root in [None]:
  >     print '%s:' % root,
  >     try:
  >         cl.reachableroots(root, [len(cl) - 1], [root])
  >         print 'uncaught error?'
  >     except TypeError as inst:
  >         print inst
  > EOF
  good heads:
  0: [0]
  1: [0]
  -1: []
  bad heads:
  2: head out of range
  10000: head out of range
  -2: head out of range
  -10000: head out of range
  None: an integer is required
  good roots:
  0: [0]
  1: [1]
  -1: [-1]
  out-of-range roots are ignored:
  2: []
  10000: []
  -2: []
  -10000: []
  bad roots:
  None: an integer is required

  $ cd ..

Test corrupted p1/p2 fields that could cause SEGV at parsers.c:

  $ mkdir invalidparent
  $ cd invalidparent

  $ hg clone --pull -q --config phases.publish=False ../a limit
  $ hg clone --pull -q --config phases.publish=False ../a segv
  $ rm -R limit/.hg/cache segv/.hg/cache

  $ python <<EOF
  > data = open("limit/.hg/store/00changelog.i", "rb").read()
  > for n, p in [('limit', '\0\0\0\x02'), ('segv', '\0\x01\0\0')]:
  >     # corrupt p1 at rev0 and p2 at rev1
  >     d = data[:24] + p + data[28:127 + 28] + p + data[127 + 32:]
  >     open(n + "/.hg/store/00changelog.i", "wb").write(d)
  > EOF

  $ hg debugindex -f1 limit/.hg/store/00changelog.i
     rev flag   offset   length     size   base   link     p1     p2       nodeid
       0 0000        0       63       62      0      0      2     -1 7c31755bf9b5
       1 0000       63       66       65      1      1      0      2 26333235a41c
  $ hg debugindex -f1 segv/.hg/store/00changelog.i
     rev flag   offset   length     size   base   link     p1     p2       nodeid
       0 0000        0       63       62      0      0  65536     -1 7c31755bf9b5
       1 0000       63       66       65      1      1      0  65536 26333235a41c

  $ cat <<EOF > test.py
  > import sys
  > from mercurial import changelog, scmutil
  > cl = changelog.changelog(scmutil.vfs(sys.argv[1]))
  > n0, n1 = cl.node(0), cl.node(1)
  > ops = [
  >     ('reachableroots',
  >      lambda: cl.index.reachableroots2(0, [1], [0], False)),
  >     ('compute_phases_map_sets', lambda: cl.computephases([[0], []])),
  >     ('index_headrevs', lambda: cl.headrevs()),
  >     ('find_gca_candidates', lambda: cl.commonancestorsheads(n0, n1)),
  >     ('find_deepest', lambda: cl.ancestor(n0, n1)),
  >     ]
  > for l, f in ops:
  >     print l + ':',
  >     try:
  >         f()
  >         print 'uncaught buffer overflow?'
  >     except ValueError, inst:
  >         print inst
  > EOF

  $ python test.py limit/.hg/store
  reachableroots: parent out of range
  compute_phases_map_sets: parent out of range
  index_headrevs: parent out of range
  find_gca_candidates: parent out of range
  find_deepest: parent out of range
  $ python test.py segv/.hg/store
  reachableroots: parent out of range
  compute_phases_map_sets: parent out of range
  index_headrevs: parent out of range
  find_gca_candidates: parent out of range
  find_deepest: parent out of range

  $ cd ..

#endif