Augie Fackler <raf@durin42.com> [Tue, 03 Jul 2018 12:10:22 -0400] rev 37881
Added signature for changeset 0b63a6743010
Augie Fackler <raf@durin42.com> [Tue, 03 Jul 2018 12:10:21 -0400] rev 37880
Added tag 4.6.2 for changeset 0b63a6743010
Sune Foldager <cryo@cyanite.org> [Mon, 25 Jun 2018 16:36:14 +0200] rev 37879
procutil: use unbuffered stdout on Windows
Windows doesn't support line buffering, treating it as fully buffered. This
causes output of slow commands to stutter. We use unbuffered instead.
Yuya Nishihara <yuya@tcha.org> [Tue, 19 Jun 2018 22:45:52 +0900] rev 37878
merge: do not fill manifest of committed revision with pseudo node (issue5526)
Since a75d24539aba "convert: fix convert dropping p2 contents during filemap
merge", wctx is not always a committablectx because the convert extension
passes in repo[n] as wctx. If wctx is a committed changeset, its manifest
dict shouldn't be mutated reflecting to the working directory.
Yuya Nishihara <yuya@tcha.org> [Fri, 15 Jun 2018 22:16:58 +0900] rev 37877
manifest: fix possible SEGV caused by uninitialized lazymanifest fields
Before, uninitialized self->pydata would be passed to lazymanifest_dealloc()
on OOM, and Py_DECREF(self->pydata) would crash if we were unlucky.
It's still wrong to do malloc() thingy in tp_init because __init__() may be
called more than once [1], but I don't want to go a step further in stable
branch.
[1]: https://docs.python.org/2/c-api/typeobj.html#c.PyTypeObject.tp_new
"The tp_new function should ... do only as much further initialization as
is absolutely necessary. Initialization that can safely be ignored or
repeated should be placed in the tp_init handler."
Augie Fackler <augie@google.com> [Fri, 15 Jun 2018 10:14:32 -0400] rev 37876
tests: replace `echo -n` with `printf` per check-code
Differential Revision: https://phab.mercurial-scm.org/D3749
Jun Wu <quark@fb.com> [Thu, 14 Jun 2018 14:04:26 -0700] rev 37875
crecord: fix line number in hunk header (issue5917)
`@@ -1,1 +-1,0 @@` is not a valid patch hunk header.
Change it to `@@ -1,1 +0,0 @@`.
Differential Revision: https://phab.mercurial-scm.org/D3737
Josef 'Jeff' Sipek <jeffpc@josefsipek.net> [Wed, 13 Jun 2018 10:41:20 -0400] rev 37874
lazymanifest: don't crash when out of memory (issue5916)
self->lines can be NULL if we failed to allocate memory for it.
Josef 'Jeff' Sipek <jeffpc@josefsipek.net> [Wed, 13 Jun 2018 10:37:39 -0400] rev 37873
cext: stop worrying and love the free(NULL)
There is no need to check for a NULL pointer before calling free since
free(NULL) is defined by C standards as a no-op. Lots of software relies on
this behavior so it is completely safe to call even on the most obscure of
systems.
Augie Fackler <augie@google.com> [Sun, 20 May 2018 23:05:18 -0400] rev 37872
tests: fix test-patch.t on pickier /bin/sh implementations
This is a graft of 0b39edeff033 and f44306940c94 from default because
I'm tired of seeing the FreeBSD build be red on stable. See those
revisions for details on what's going on here.
Jun Wu <quark@fb.com> [Wed, 06 Jun 2018 12:53:26 -0700] rev 37871
chg: fix an undefined behavior about memcpy
Spot by Wez Furlong. `memcpy(x, NULL, 0)` is undefined according to [1].
[1]: https://stackoverflow.com/questions/5243012
Differential Revision: https://phab.mercurial-scm.org/D3698
Augie Fackler <raf@durin42.com> [Wed, 06 Jun 2018 13:28:49 -0400] rev 37870
Added signature for changeset 9c5ced5276d6
Augie Fackler <raf@durin42.com> [Wed, 06 Jun 2018 13:28:48 -0400] rev 37869
Added tag 4.6.1 for changeset 9c5ced5276d6
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:24:58 -0400] rev 37868
mpatch: avoid integer overflow in combine() (SEC)
All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:23:06 -0400] rev 37867
mpatch: avoid integer overflow in mpatch_decode (SEC)
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:20:13 -0400] rev 37866
mpatch: fix UB integer overflows in discard() (SEC)
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:15:11 -0400] rev 37865
mpatch: fix UB in int overflows in gather() (SEC)
Augie Fackler <augie@google.com> [Thu, 03 May 2018 12:54:20 -0400] rev 37864
mpatch: introduce a safesub() helper as well
Same reason as safeadd().
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:13:42 -0400] rev 37863
mpatch: introduce a safeadd() helper to work around UB int overflow
We're about to make extensive use of this. This change duplicates some
stdbool.h portability hacks from cext/util.h. We should probably clean
that up in the future, but we'll skip that for now in order to make
security backports easier.
Augie Fackler <augie@google.com> [Sat, 28 Apr 2018 10:09:12 -0400] rev 37862
mpatch: ensure fragment start isn't past the end of orig (SEC)
Caught by oss-fuzz fuzzer during development.
This defect is OVE-20180430-0004. A CVE has not been obtained as of
this writing.
Augie Fackler <augie@google.com> [Sat, 28 Apr 2018 02:04:56 -0400] rev 37861
mpatch: protect against underflow in mpatch_apply (SEC)
Also caught by oss-fuzz fuzzer during development.
This defect is OVE-20180430-0002. A CVE has not been obtained as of this writing.
Augie Fackler <augie@google.com> [Sat, 28 Apr 2018 00:42:16 -0400] rev 37860
mpatch: be more careful about parsing binary patch data (SEC)
It appears to have been possible to trivially walk off the end of an
allocated region with a malformed patch. Oops.
Caught when writing an mpatch fuzzer for oss-fuzz.
This defect is OVE-20180430-0001. A CVE has not been obtained as of
this writing.
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 06 Jun 2018 09:14:33 -0700] rev 37859
zstandard: pull in bug fixes from upstream 0.9.1 release (issue5884)
This changeset contains the meaningful code changes from
python-zstandard's 0.9.1 release. The main fix is to restore
support for compiling with mingw.
Anton Shestakov <av6@dwimlabs.net> [Wed, 06 Jun 2018 21:19:42 +0800] rev 37858
templatefuncs: only render text portion of minirst.format() result
When "keep" argument is provided, the function returns (text, pruned), where
pruned is a list of sections from the original plain text that were pruned from
the rendered result. Let's not output it together with the rendered HTML.
Anton Shestakov <av6@dwimlabs.net> [Wed, 06 Jun 2018 21:15:26 +0800] rev 37857
tests: demonstrate that hgweb renders "pruned" that minirst.format() returns
Notice at the bottom of the help text there's "windows". It's a section that is
in the original help text, but was pruned (because hgweb didn't ask for it).
Matt Harbison <matt_harbison@yahoo.com> [Tue, 05 Jun 2018 23:49:54 -0400] rev 37856
rebase: avoid RevlogError when computing obsoletenotrebased (issue5907)
The key to reproducing this seems to be missing an obsolete node that is not an
ancestor of the destination.
Matt Harbison <matt_harbison@yahoo.com> [Sat, 02 Jun 2018 13:44:44 -0400] rev 37855
rebase: prioritize indicating an interrupted rebase over update (issue5838)
This should also cover the transplant extension, and any other non clearable
states.
Matt Harbison <matt_harbison@yahoo.com> [Sat, 02 Jun 2018 13:25:45 -0400] rev 37854
tests: demonstrate inconsistent messaging around interrupted rebases
Matt Harbison <matt_harbison@yahoo.com> [Thu, 31 May 2018 22:15:52 -0400] rev 37853
tests: adapt test-check-pylint to run on Windows
The line endings are explicitly converted because this was ending up with
'\r (no-eol) (esc)' lines, in addition to the usual '\r (esc)' lines. I've seen
the fakerc output on other recently installed systems though (10.13 and/or
Fedora 26). Unfortunately, the output here uses '\\' on Windows, so glob away
the whole path.
Matt Harbison <matt_harbison@yahoo.com> [Thu, 31 May 2018 22:11:47 -0400] rev 37852
hghave: avoid a deadlock reading the child process's output
The output of `pylint` is voluminous enough that it fills the buffer on Windows,
and waited for the parent to read it out. But the parent was waiting on the
child to exit.
I'm not sure what the intent of setting `ret = -1` in the exception handler just
above this was...
Matt Harbison <matt_harbison@yahoo.com> [Thu, 31 May 2018 09:19:09 -0400] rev 37851
lfs: bypass wrapped functions when reposetup() hasn't been called (issue5902)
There are only a handful of methods that access repo attributes that are applied
in reposetup(). The `diff` test covers all of the commands that call
scmutil.prefetchfiles(). Along the way, I saw that adding files and upgrading
the repo format were also problems (also tested here).
I don't think running `hg serve` through the commandserver is sane, but I
conditionalized both the capabilities and the wsgirequest handler because it's
trivially correct. It doesn't look like there has ever been a caller of
candownload(), so there's no test for that path.
The upload case isn't testable, because uploadblobs() bails if there are no
pointers. The requirement should be added any time pointers are introduced, and
that would force the extension to be loaded specifically for the repo. This
covers `debuglfsupload`, the pre-push hook (which isn't set until the repo is
promoted to LFS), and uploadblobsfromrevs(), which can be called by other
extensions.
I think readfromstore() and writetostore() are only reachable as a flag
processor for revlog.REVIDX_EXTSTORED, and a requirement is added as soon as
that is seen, so I don't think those are a problem.
Yuya Nishihara <yuya@tcha.org> [Thu, 24 May 2018 21:54:31 +0900] rev 37850
help: correct signature of separate() template function
Without the dots, it looked as if separate() would take a list of arguments.
Yuya Nishihara <yuya@tcha.org> [Fri, 18 May 2018 21:32:05 +0900] rev 37849
hgweb: do not try to replace signal handlers while locking
According to the issue 5889, mod_wsgi issues a warning on signal.signal()
call, and we wouldn't want to see it in error log. The problem addressed
by d77c3b023393 could potentially occur in web session, but that would be
less likely than in user processes.
Yuya Nishihara <yuya@tcha.org> [Fri, 18 May 2018 21:24:06 +0900] rev 37848
lock: add internal config to not replace signal handlers while locking
signal.signal() is blocked in some WSGI environments, and a horrible warning
is sent to the server log. So we need a way to disable it, and I think
abusing ui.config is the simplest workaround.
Augie Fackler <augie@google.com> [Tue, 22 May 2018 21:51:20 -0400] rev 37847
merge with i18n
Wagner Bruna <wbruna@softwareexpress.com.br> [Fri, 04 May 2018 18:55:57 -0300] rev 37846
i18n-pt_BR: synchronized with 32a75a8a5b0f
Wagner Bruna <wbruna@softwareexpress.com.br> [Fri, 04 May 2018 18:55:29 -0300] rev 37845
i18n-ja: fix block indentation
FUJIWARA Katsunori <foozy@lares.dti.ne.jp> [Tue, 01 May 2018 18:22:52 +0900] rev 37844
i18n-ja: synchronized with 32a75a8a5b0f
Boris Feld <boris.feld@octobus.net> [Mon, 21 May 2018 15:14:46 +0200] rev 37843
httppeer: declare 'dbg' at the function level
As we just saw in the previous changeset, having the variable defined into a
branch creates bug. This is a cheap to move it at the function level.
Boris Feld <boris.feld@octobus.net> [Fri, 04 May 2018 19:06:46 +0200] rev 37842
httppeer: properly gate debug usage behind debug flag check
The "dbg" local variable is only defined if the 'debugflag' is set to True.
However, it was used indiscriminately later in the function. We hide its usage
behind the 'debugflag' value to avoid raising a NameError.
Yuya Nishihara <yuya@tcha.org> [Tue, 15 May 2018 22:12:55 +0900] rev 37841
push: continue without locking on lock failure other than EEXIST (issue5882)
This code was added by 3f5e75c22585 "push: make locking of source optional
(issue3684)", but EACCES isn't the only error that could be triggered by
filesystem permission. I think catching LockUnavailable is more appropriate
than testing errno value by caller.
Julien Cristau <jcristau@debian.org> [Sat, 12 May 2018 22:29:28 +0200] rev 37840
bdiff: fix yet more fallout from xdiff long/int64 conversion (issue5885)
"l" in Py_BuildValue's format string means long, so passing int64_t
instead results in fireworks on 32bit architectures.
Differential Revision: https://phab.mercurial-scm.org/D3538
Yuya Nishihara <yuya@tcha.org> [Fri, 11 May 2018 20:10:22 +0900] rev 37839
revset: pass in lookup function to matchany() (issue5879)
Silly mistake in f83cb91b052e.
Yuya Nishihara <yuya@tcha.org> [Fri, 11 May 2018 20:08:30 +0900] rev 37838
test-hgweb: add test for foo-bar name lookup
This is broken since f83cb91b052e "revset: pass in lookup function instead
of repo (API)."
Boris Feld <boris.feld@octobus.net> [Tue, 08 May 2018 14:17:46 -0700] rev 37837
bundle2: mark the bundle2 part as advisory (issue5872)
It blocks old clients to read bundle including this part.
Differential Revision: https://phab.mercurial-scm.org/D3481
Boris Feld <boris.feld@octobus.net> [Tue, 08 May 2018 11:39:38 +0200] rev 37836
debugbundle: also display if a part is mandatory or advisory
Most parts are mandatory but when introducing new parts, they should be
advisory if included by default or old clients won't be able to process it.
Differential Revision: https://phab.mercurial-scm.org/D3480
Kevin Bullock <kbullock@ringworld.org> [Sat, 05 May 2018 18:03:01 -0500] rev 37835
Added signature for changeset 6614cac550ae
Kevin Bullock <kbullock@ringworld.org> [Sat, 05 May 2018 18:02:59 -0500] rev 37834
Added tag 4.6 for changeset 6614cac550ae
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 30 Nov 2017 21:19:46 -0500] rev 37833
filelog: don't crash on invalid copy metadata (issue5748)
"copy" and "copyrev" are both supposed to appear next to each other.
However, a user report demonstrated a crash that indicates that
something in the wild is producing "copy" without "copyrev"
(probably `hg convert`).
While we should definitely fix the source of the bad metadata,
the bad code causing the crash is already in the wild and who knows
how many repositories are impacted. So let's be more defensive
when accessing the file revision metadata.
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 Apr 2018 15:32:11 -0700] rev 37832
httppeer: detect redirect to URL without query string (issue5860)
197d10e157ce subtly changed the HTTP peer's handling of HTTP redirects.
Before that changeset, we instantiated an HTTP peer instance and
performed the capabilities lookup with that instance. The old code had
the following relevant properties:
1) The HTTP request layer would automatically follow HTTP redirects.
2) An encountered HTTP redirect would update a peer instance variable
pointing to the repo URL.
3) The peer would automagically perform a "capabilities" command
request if a caller requested capabilities but capabilities were
not yet defined.
The first HTTP request issued by a peer is for ?cmd=capabilities. If
the server responds with an HTTP redirect to a ?cmd=capabilities URL,
the HTTP request layer automatically followed it, retrieved a valid
capabilities response, and the peer's base URL was updated
automatically so subsequent requests used the proper URL. In other
words, things "just worked."
In the case where the server redirected to a URL without the
?cmd=capabilities query string, the HTTP request layer would follow
the redirect and likely encounter HTML. The peer's base URL would be
updated and the unexpected Content-Type would raise a RepoError. We
would catch RepoError and immediately call between() (testing the case
for pre 0.9.1 servers not supporting the "capabilities" command). e.g.
try:
inst._fetchcaps()
except error.RepoError:
inst.between([(nullid, nullid)])
between() would eventually call into _callstream(). And _callstream()
made a call to self.capable('httpheader'). capable() would call
self.capabilities(), which would see that no capabilities were set
(because HTML was returned for that request) and call the "capabilities"
command to fetch capabilities. Because the base URL had been updated
from the redirect, this 2nd "capabilities" command would succeed and
the client would immediately call "between," which would also succeed.
The legacy handshake succeeded. Only because "capabilities" was
successfully executed as a side effect did the peer recognize that it
was talking to a modern server. In other words, this all appeared to
work accidentally.
After 197d10e157ce, we stopped calling the "capabilities" command on
the peer instance. Instead, we made the request via a low-level opener,
detected the redirect as part of response handling code, and passed the
redirected URL into the constructed peer instance.
For cases where the redirected URL included the query string, this
"just worked." But for cases where the redirected URL stripped the query
string, we threw RepoError and because we removed the "between" handshake
fallback, we fell through to the "is a static HTTP repo" check and
performed an HTTP request for .hg/requires.
While 197d10e157ce was marked as backwards incompatible, the only
intended backwards incompatible behavior was not performing the
"between" fallback. It was not realized that the "between" command
had the side-effect of recovering from an errant redirect that
dropped the query string.
This commit restores the previous behavior and allows clients to
handle a redirect that drops the query string. In the case where
the request is redirected and the query string is dropped, we raise
a special case of RepoError. We then catch this special exception in
the handshake code and perform another "capabilities" request against
the redirected URL. If that works, all is well. Otherwise, we fall back
to the "is a static HTTP repo" check.
The new code is arguably better than before 197d10e157ce, as it is
explicit about the expected behavior and we avoid performing a
"between" request, saving a server round trip.
Differential Revision: https://phab.mercurial-scm.org/D3433
Yuya Nishihara <yuya@tcha.org> [Thu, 03 May 2018 14:43:25 +0900] rev 37831
hgweb: prevent triggering dummy href="#" handler
Follow up for the previous patch.
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 02 May 2018 21:00:43 -0700] rev 37830
paper: add href="#" to links with click handlers
This restores the styling that was accidentally removed by the
previous change to these files.
Differential Revision: https://phab.mercurial-scm.org/D3438
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 02 May 2018 19:16:01 -0700] rev 37829
paper: don't register click handlers with inline javascript (issue5812)
The use of inline href="javascript:" undermines CSP policies that
don't allow inline javascript.
This commit changes the registering of the diffstat and line wrapping
toggle handlers to the the global DOMContentLoaded handler, thus
eliminating all inline javascript from the paper template.
Differential Revision: https://phab.mercurial-scm.org/D3437
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 Apr 2018 17:28:59 -0700] rev 37828
hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
A side-effect of 98baf8dea553 was that the Content-Security-Policy
header was set on all HTTP responses by default. This header wasn't
in our list of allowed headers for HTTP 304 responses. This would
trigger a ProgrammingError when a 304 response was issued via hgwebdir.
This commit adds Content-Security-Policy to the allow list of headers
for 304 responses so we no longer encounter the error.
Differential Revision: https://phab.mercurial-scm.org/D3436
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 Apr 2018 17:22:20 -0700] rev 37827
hgweb: discard Content-Type header for 304 responses (issue5844)
A side-effect of 98baf8dea553 was that hgwebdir always sets a global
default for the Content-Type header. HTTP 304 responses don't allow
the Content-Type header. So a side-effect of this change was that
HTTP 304 responses served via hgwebdir resulted in a ProgrammingError
being raised.
This commit teaches our 304 response issuing code to drop the
Content-Type header.
Differential Revision: https://phab.mercurial-scm.org/D3435
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 30 Apr 2018 17:08:56 -0700] rev 37826
tests: add tests demonstrating ISE for HTTP 304 responses with hgwebdir
There are two separate failures here. One for the Content-Type header.
Another for the Content-Security-Policy header.
Differential Revision: https://phab.mercurial-scm.org/D3434
Gregory Szorc <gregory.szorc@gmail.com> [Fri, 27 Apr 2018 14:51:02 -0700] rev 37825
hgweb: guard against empty Content-Length header
Discussion in issue 5860 seems to indicate this can occur.
Differential Revision: https://phab.mercurial-scm.org/D3432
Yuya Nishihara <yuya@tcha.org> [Thu, 26 Apr 2018 21:10:56 +0900] rev 37824
test-push-http: do not clear pid file
It's okay now, but we'll end up leaking daemon processes if we add some
more.
Yuya Nishihara <yuya@tcha.org> [Thu, 26 Apr 2018 21:24:13 +0900] rev 37823
debugcolor: fix crash by empty styles (issue5856)
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 25 Apr 2018 14:51:20 -0700] rev 37822
tests: explicitly define compression engines for tests
The zstd compression engine requires C extensions and isn't present
in pure Python builds.
The compression engine list leaks into the server capabilities string.
Unless we're testing functionality specific to a compression format,
the set of compression formats supported by a server doesn't matter
much.
So this commit explicitly defines the server's compression engines for
some tests so behavior is consistent between pure and non-pure builds.
Differential Revision: https://phab.mercurial-scm.org/D3431