Yuya Nishihara <yuya@tcha.org> [Sun, 05 Nov 2017 21:51:42 +0900] rev 34965
subrepo: disable git and svn subrepos by default (BC) (SEC)
We have a security issue with git subrepos. I'm not sure if svn subrepo is
vulnerable, but it seems not 100% safe to allow writing arbitrary data into
a metadata directory. So for now, only hg subrepo is enabled by default.
Maybe we should improve the help to describe why git/svn subrepos are
disabled.
Yuya Nishihara <yuya@tcha.org> [Sun, 05 Nov 2017 21:48:58 +0900] rev 34964
subrepo: extend config option to disable subrepos by type (SEC)
This allows us to minimize the behavior change introduced by the next patch.
I have no idea which config style is preferred in UX POV, but I decided to
get things done.
a) list: 'allowed = hg, git, svn'
b) sub option: 'allowed.hg = True' or 'allowed:hg = True'
c) per-type action: 'hg = allow', 'git = abort'
Yuya Nishihara <yuya@tcha.org> [Sun, 05 Nov 2017 21:22:07 +0900] rev 34963
subrepo: add config option to reject any subrepo operations (SEC)
This is an alternative workaround for the issue5730.
Perhaps this is the simplest way of disabling subrepo operations. It does
nothing clever, but just aborts if Mercurial starts accessing to a subrepo.
I think Greg's patch is more useful since it allows us to at least check
out the parent repository. However, that would be confusing if the default
is flipped to checkout=False and subrepos are silently ignored.
I don't like the config name 'allowed', but I couldn't get any better name.
Yuya Nishihara <yuya@tcha.org> [Fri, 03 Nov 2017 20:12:50 +0900] rev 34962
subrepo: disallow symlink traversal across subrepo mount point (SEC)
It wasn't easy to extend the pathauditor to check symlink traversal across
subrepos because pathauditor._checkfs() rejects a directory having ".hg"
directory. That's why I added the explicit islink() check.
No idea if this patch is necessary after we've fixed the issue5730 by
splitting submerge() into planning and execution phases.
Yuya Nishihara <yuya@tcha.org> [Fri, 03 Nov 2017 19:17:25 +0900] rev 34961
tests: show symlink traversal across subrepo mount point (SEC)
Also adds a couple of tests where the auditor does work as expected.
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 06 Nov 2017 10:33:40 -0800] rev 34960
share: move config item declarations into core
These config items control share behavior that is implemented in core.
Since the functionality is implemented in core, extensions may
leverage it.
Mozilla has one such extension. And, it needs to access share.pool.
Before this patch, a devel warning regarding accessing an unregistered
config option would be issued unless the share extension were loaded.
Moving the registration of the config options to core fixes this.
Matt Harbison <matt_harbison@yahoo.com> [Sat, 04 Nov 2017 23:39:54 -0400] rev 34959
morestatus: don't crash with different drive letters for repo.root and CWD
Previously, if there were unresolved files and the CWD drive was different from
the repo drive, `hg status -v` would page the normal status, followed by the
exception header. A stacktrace was waiting when the pager exited. The
underlying cause was the same as f445b10dc7fb.
Unfortunately, I don't see any reasonable way to write a test this [1].
[1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107401.html
Matt Harbison <matt_harbison@yahoo.com> [Fri, 03 Nov 2017 22:22:50 -0400] rev 34958
pathutil: add doctests for canonpath()
This is a followup to f445b10dc7fb. Since there's no way to ensure that more
drive letters than C: exist, this seems like the only way to test it. This is
enough to catch the f445b10dc7fb scenario, as well as CWD outside of the repo
when the path isn't prefixed with path/to/repo.
Matt Harbison <matt_harbison@yahoo.com> [Thu, 02 Nov 2017 23:55:09 -0400] rev 34957
share: handle --relative shares to a different drive letter gracefully
This had the same problem as f445b10dc7fb. Banning os.path.relpath() is
tempting, but the hint it provides is useful here.
Matt Harbison <matt_harbison@yahoo.com> [Thu, 02 Nov 2017 20:35:31 -0400] rev 34956
pathutil: use util.pathto() to calculate relative cwd in canonpath()
os.path.relpath() exploded if the 'root' and 'cwd' directories had different
drive letters. I noticed this in TortoiseHg when typing a fileset into the
filter, and it kept complaining until the closing '()' was typed. This was
reproducible on the command line with:
$ cd /d
$ hg -R /c/Users/Matt/Projects/hg files 'set:e'
Traceback (most recent call last):
...
File "mercurial\pathutil.pyc", line 182, in canonpath
File "ntpath.pyc", line 529, in relpath
ValueError: path is on drive c:, start on drive d:
Kevin Bullock <kbullock@ringworld.org> [Wed, 01 Nov 2017 16:54:39 -0500] rev 34955
Added signature for changeset 0ccb43d4cf01
Kevin Bullock <kbullock@ringworld.org> [Wed, 01 Nov 2017 16:54:38 -0500] rev 34954
Added tag 4.4 for changeset 0ccb43d4cf01
Jun Wu <quark@fb.com> [Wed, 01 Nov 2017 14:22:26 -0700] rev 34953
test-dispatch: stabilize the test
When cwd is removed and `hg` is executed, some shells may run `getcwd`
before forking and executing, some may not do it, some may print a
different error message.
The test should be shell-independent so let's just avoid checking the error
message.
Differential Revision: https://phab.mercurial-scm.org/D1282
Kevin Bullock <kbullock+mercurial@ringworld.org> [Wed, 01 Nov 2017 15:34:22 -0500] rev 34952
internals: update test-help.t for config registrar copy-edit
Kevin Bullock <kbullock+mercurial@ringworld.org> [Wed, 01 Nov 2017 13:24:08 -0500] rev 34951
internals: copy-edit "register" -> "registrar" in configitem docs
Augie Fackler <augie@google.com> [Wed, 01 Nov 2017 16:07:33 -0400] rev 34950
merge with i18n
Wagner Bruna <wbruna@yahoo.com> [Wed, 01 Nov 2017 08:31:16 -0200] rev 34949
i18n-pt_BR: synchronized with cab34bda259e
Matt Harbison <matt_harbison@yahoo.com> [Tue, 31 Oct 2017 23:09:29 -0400] rev 34948
help: minor copy editing for grammar
Yuya Nishihara <yuya@tcha.org> [Tue, 31 Oct 2017 22:37:30 +0900] rev 34947
configitems: relax warning about unwanted default value
The original condition was a bit harsh for extension authors since third-party
extensions need to preserve compatibility with older Mercurial versions, where
no defaults would be loaded from the configtable. So let's silence the warning
if the given default value matches, which should be harmless.
Kostia Balytskyi <ikostia@fb.com> [Thu, 26 Oct 2017 11:07:06 -0700] rev 34946
filemerge: pass a default value to _toolstr (issue5718)
After a refactoring, _toolstr stopped having default="" as one of it's args,
therefore when called without a default it returns None and not "". This causes
concatenation to fail.
Pulkit Goyal <7895pulkit@gmail.com> [Tue, 31 Oct 2017 06:39:38 +0530] rev 34945
children: fix the log expansion of `hg children` in doc
`hg log -r children()` returns `hg: parse error: missing argument`.
Differential Revision: https://phab.mercurial-scm.org/D1269
Yuya Nishihara <yuya@tcha.org> [Sun, 29 Oct 2017 17:53:52 +0900] rev 34944
test-static-http: flush access log per request
It appears that stderr is fully buffered on Windows.
# no-check-commit because of log_message() function
Yuya Nishihara <yuya@tcha.org> [Sat, 28 Oct 2017 17:23:52 +0900] rev 34943
statichttprepo: do not use platform path separator to build a URL
It wouldn't work between Windows client and Unix server.
Siddharth Agarwal <sid0@fb.com> [Tue, 24 Oct 2017 11:15:30 -0700] rev 34942
merge: disable path conflict checking by default (issue5716)
We shouldn't ship a severe perf regression in hg update for 4.4.
Differential Revision: https://phab.mercurial-scm.org/D1223
Siddharth Agarwal <sid0@fb.com> [Tue, 24 Oct 2017 11:14:38 -0700] rev 34941
merge: add a config option to disable path conflict checking
We've found a severe perf regression in `hg update` caused by the path conflict
checking code. The next patch will disable this by default.
Differential Revision: https://phab.mercurial-scm.org/D1222
Mark Thomas <mbthomas@fb.com> [Fri, 20 Oct 2017 05:53:35 -0700] rev 34940
dirstate: clean up when restoring identical backups
When a dirstate backup is restored, it is possible that no actual changes to
the dirstate have been made. In this case, the backup is still a hardlink
to the original dirstate.
Unfortunately, `os.rename` silently fails (nothing happens, and no error
occurs) when `src` and `dst` are hardlinks to the same file. As a result,
the backup is left lying around. Over time, these files accumulate.
When restoring dirstate backups, check if the backup and the dirstate are
the same file, and if so, just delete the backup.
Differential Revision: https://phab.mercurial-scm.org/D1201
Mark Thomas <mbthomas@fb.com> [Fri, 20 Oct 2017 05:53:33 -0700] rev 34939
tests: add a test demonstrating failure to clean up dirstate backups
Differential Revision: https://phab.mercurial-scm.org/D1200
Matt Harbison <matt_harbison@yahoo.com> [Fri, 20 Oct 2017 23:01:56 -0400] rev 34938
tests: adjust hooks for Windows
I'm not sure why these weren't working on Windows. The failures were generally
in the style of:
- remote: phase-move: cb9a9f314b8b07ba71012fcdbc544b5a4d82ff5b: 1 -> 0
+ remote: "phase-move: $HG_NODE: $HG_OLDPHASE -> $HG_PHASE"
and
- abort: pretxnclose-bookmark.force-forward hook exited with status 1
- [255]
+ abort: pretxnclose-bookmark.force-public hook exited with status 255
+ [255]
These failures originated in ee5f0d047b41::f6d17075608f.