subrepo: reject potentially unsafe subrepo paths (BC) (SEC) In addition to the previous patch, this prohibits '~', '$nonexistent', etc. for any subrepo types. I think this is safer, and real-world subrepos wouldn't use such (local) paths.

subrepo: prohibit variable expansion on creation of hg subrepo (SEC) It's probably wrong to expand path at localrepo.*repository() layer, but fixing the layering issue would require careful inspection of call paths. So, this patch adds add a validation to the subrepo constructor. os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.

subrepo: extend path auditing test to include more weird patterns (SEC) While reviewing patches for the issue 5739, "$foo in repository path expanded", I realized that subrepo paths can also be cheated. This patch includes various subrepo paths which are potentially unsafe. Since an expanded subrepo path isn't audited, this bug allows symlink check bypass. As a result, a malicious subrepository could be checked out to a sub tree of e.g. $HOME directory. The good news is that the destination directory must be empty or nonexistent, so the existing ~/.bashrc wouldn't be overwritten. See the last part of the tests for details.

copyright: update to 2019 Differential Revision: https://phab.mercurial-scm.org/D5779

revlog: make sure we never use sparserevlog without general delta (issue6056) We are getting user report where the delta code tries to use `sparse-revlog` logic on repository where `generaldelta` is disabled. This can't work so we ensure the two booleans have a consistent value. Creating this kind of repository is not expected to be possible the current bug report point at a clonebundle related bug that is still to be properly isolated (Yuya Nishihara seems to a have done it). Corrupting a repository to reproduce the issue is possible. A test using this method is included in this fix.

sparserevlog: document the config option This was overlooked when this graduated from experimental.

rust-cpython: raising error.WdirUnsupported The Graph implementation of hg-cpython returns the appropriate error upon encounter with the working directory special revision number, and this gives us in particular a code path to test from test-rust-ancestors.py In the current implementation, the exception is actually raised from the iterator instantiation; we are nonetheless consuming the iterator in the test with `list()` in order not to depend on implementation details.

rust: error for WdirUnsupported with cpython conversion as exception This introduces WorkingDirectoryUnsupported as an enum variant of GraphError in the core and converts it to the expected `mercurial.error.WdirUnsupported`.

rust: working directory revision number constant This introduces the constant, but does not use it anywhere yet.

ui: remove unreachable branches and function calls from write() (issue6059) This is at least faster than ui.write() of 4.8.2. $ HGRCPATH=/dev/null hg files -R mozilla-central --time >/dev/null 4.8.2: time: real 2.340 secs (user 2.310+0.000 sys 0.020+0.000) 4.9rc0: time: real 2.580 secs (user 2.550+0.000 sys 0.020+0.000) this: time: real 2.230 secs (user 2.210+0.000 sys 0.020+0.000) Maybe the formatter should own a resolved write() function because it will just call dest.write(msg) most of the time, but that would be too much for stable.