wireproto: define and implement HTTP handshake to upgrade protocol
When clients connect to repositories over HTTP, they issue a request
to the well-known URL "?cmd=capabilities" to fetch the repository
capabilities. This is the handshake portion of the HTTP protocol.
This commit defines a mechanism to use that HTTP request to return
information about modern server features.
If a client sends an X-HgUpgrade-* header containing a list of
client-supported API names, the server responds with a response
containing information about available services. This includes
the normal capabilities string. So if the server doesn't support
any newer services, the client can easily fall back.
By advertising supported services from clients, server operators
can see and log what client support exists in the wild. This will
also help with debugging.
The response contains the base path to API services. We know there
are potential issues with the <repo>/api/ URL space conflicting with
hgwebdir and subrepos. By making the API URL dynamic from the
perspective of the client, the URL for APIs is not subject to backwards
compatibility concerns - at least as long as a ?cmd=capabilities request
is made.
We've also defined the ``cbor`` client capability for the X-HgProto-*
header. This MUST be sent in order to get the modern response from
"?cmd=capabilities". During implementation, I initially always sent
an application/mercurial-cbor response. However, the handshake
mechanism will be more future compatible if the client is in charge
of which formats to request. We already perform content negotiation
from X-HgProto-*, so keying off this for the capabilities response
feels appropriate.
In addition, I initially used application/cbor. However, it is
conceivable that a non-Mercurial server could serve application/cbor.
To rule out this possibility, I've invented a new media type that
is Mercurial specific and can't be confused for generic CBOR.
Differential Revision: https://phab.mercurial-scm.org/D3242
The simple store doesn't escape paths robustly and can't store paths
with periods, etc. So much of this test fails with it.
#require no-reposimplestore
$ hg init
audit of .hg
$ hg add .hg/00changelog.i
abort: path contains illegal component: .hg/00changelog.i
[255]
#if symlink
Symlinks
$ mkdir a
$ echo a > a/a
$ hg ci -Ama
adding a/a
$ ln -s a b
$ echo b > a/b
$ hg add b/b
abort: path 'b/b' traverses symbolic link 'b'
[255]
$ hg add b
should still fail - maybe
$ hg add b/b
abort: path 'b/b' traverses symbolic link 'b'
[255]
$ hg commit -m 'add symlink b'
Test symlink traversing when accessing history:
-----------------------------------------------
(build a changeset where the path exists as a directory)
$ hg up 0
0 files updated, 0 files merged, 1 files removed, 0 files unresolved
$ mkdir b
$ echo c > b/a
$ hg add b/a
$ hg ci -m 'add directory b'
created new head
Test that hg cat does not do anything wrong the working copy has 'b' as directory
$ hg cat b/a
c
$ hg cat -r "desc(directory)" b/a
c
$ hg cat -r "desc(symlink)" b/a
b/a: no such file in rev bc151a1f53bd
[1]
Test that hg cat does not do anything wrong the working copy has 'b' as a symlink (issue4749)
$ hg up 'desc(symlink)'
1 files updated, 0 files merged, 1 files removed, 0 files unresolved
$ hg cat b/a
b/a: no such file in rev bc151a1f53bd
[1]
$ hg cat -r "desc(directory)" b/a
c
$ hg cat -r "desc(symlink)" b/a
b/a: no such file in rev bc151a1f53bd
[1]
#endif
unbundle tampered bundle
$ hg init target
$ cd target
$ hg unbundle "$TESTDIR/bundles/tampered.hg"
adding changesets
adding manifests
adding file changes
added 5 changesets with 6 changes to 6 files (+4 heads)
new changesets b7da9bf6b037:fc1393d727bc
(run 'hg heads' to see heads, 'hg merge' to merge)
attack .hg/test
$ hg manifest -r0
.hg/test
$ hg update -Cr0
abort: path contains illegal component: .hg/test
[255]
attack foo/.hg/test
$ hg manifest -r1
foo/.hg/test
$ hg update -Cr1
abort: path 'foo/.hg/test' is inside nested repo 'foo'
[255]
attack back/test where back symlinks to ..
$ hg manifest -r2
back
back/test
#if symlink
$ hg update -Cr2
abort: path 'back/test' traverses symbolic link 'back'
[255]
#else
('back' will be a file and cause some other system specific error)
$ hg update -Cr2
abort: $TESTTMP/target/back/test: $ENOTDIR$
[255]
#endif
attack ../test
$ hg manifest -r3
../test
$ mkdir ../test
$ echo data > ../test/file
$ hg update -Cr3
abort: path contains illegal component: ../test
[255]
$ cat ../test/file
data
attack /tmp/test
$ hg manifest -r4
/tmp/test
$ hg update -Cr4
abort: path contains illegal component: /tmp/test
[255]
$ cd ..
Test symlink traversal on merge:
--------------------------------
#if symlink
set up symlink hell
$ mkdir merge-symlink-out
$ hg init merge-symlink
$ cd merge-symlink
$ touch base
$ hg commit -qAm base
$ ln -s ../merge-symlink-out a
$ hg commit -qAm 'symlink a -> ../merge-symlink-out'
$ hg up -q 0
$ mkdir a
$ touch a/poisoned
$ hg commit -qAm 'file a/poisoned'
$ hg log -G -T '{rev}: {desc}\n'
@ 2: file a/poisoned
|
| o 1: symlink a -> ../merge-symlink-out
|/
o 0: base
try trivial merge
$ hg up -qC 1
$ hg merge 2
abort: path 'a/poisoned' traverses symbolic link 'a'
[255]
try rebase onto other revision: cache of audited paths should be discarded,
and the rebase should fail (issue5628)
$ hg up -qC 2
$ hg rebase -s 2 -d 1 --config extensions.rebase=
rebasing 2:e73c21d6b244 "file a/poisoned" (tip)
abort: path 'a/poisoned' traverses symbolic link 'a'
[255]
$ ls ../merge-symlink-out
$ cd ..
Test symlink traversal on update:
---------------------------------
$ mkdir update-symlink-out
$ hg init update-symlink
$ cd update-symlink
$ ln -s ../update-symlink-out a
$ hg commit -qAm 'symlink a -> ../update-symlink-out'
$ hg rm a
$ mkdir a && touch a/b
$ hg ci -qAm 'file a/b' a/b
$ hg up -qC 0
$ hg rm a
$ mkdir a && touch a/c
$ hg ci -qAm 'rm a, file a/c'
$ hg log -G -T '{rev}: {desc}\n'
@ 2: rm a, file a/c
|
| o 1: file a/b
|/
o 0: symlink a -> ../update-symlink-out
try linear update where symlink already exists:
$ hg up -qC 0
$ hg up 1
abort: path 'a/b' traverses symbolic link 'a'
[255]
try linear update including symlinked directory and its content: paths are
audited first by calculateupdates(), where no symlink is created so both
'a' and 'a/b' are taken as good paths. still applyupdates() should fail.
$ hg up -qC null
$ hg up 1
abort: path 'a/b' traverses symbolic link 'a'
[255]
$ ls ../update-symlink-out
try branch update replacing directory with symlink, and its content: the
path 'a' is audited as a directory first, which should be audited again as
a symlink.
$ rm -f a
$ hg up -qC 2
$ hg up 1
abort: path 'a/b' traverses symbolic link 'a'
[255]
$ ls ../update-symlink-out
$ cd ..
#endif