hgweb: do not audit URL path as working-directory path
authorYuya Nishihara <yuya@tcha.org>
Sun, 26 Aug 2018 22:18:09 +0900
changeset 39488 15e8250a82da
parent 39487 17ca967e9fca
child 39489 4e4fae1dda5c
hgweb: do not audit URL path as working-directory path Since hgweb is an interface to repository data, we don't need to prohibit any paths conflicting within the filesystem. Still an access to working files is audited by filectx.
mercurial/hgweb/webutil.py
tests/test-hgwebdir.t
--- a/mercurial/hgweb/webutil.py	Sun Aug 26 22:23:25 2018 +0900
+++ b/mercurial/hgweb/webutil.py	Sun Aug 26 22:18:09 2018 +0900
@@ -320,7 +320,8 @@
 
 def cleanpath(repo, path):
     path = path.lstrip('/')
-    return pathutil.canonpath(repo.root, '', path)
+    auditor = pathutil.pathauditor(repo.root, realfs=False)
+    return pathutil.canonpath(repo.root, '', path, auditor=auditor)
 
 def changectx(repo, req):
     changeid = "tip"
--- a/tests/test-hgwebdir.t	Sun Aug 26 22:23:25 2018 +0900
+++ b/tests/test-hgwebdir.t	Sun Aug 26 22:18:09 2018 +0900
@@ -1231,14 +1231,15 @@
   
   f2
 
-Test accessing file that is shadowed by another repository
+Test accessing file that could be shadowed by another repository if the URL
+path were audited as a working-directory path:
 
   $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw'
-  403 Forbidden
-  
+  200 Script output follows
   
-  error: path 'f3/file' is inside nested repo 'f3'
-  [1]
+  f3/file
+
+Test accessing working-directory file that is shadowed by another repository
 
   $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw'
   403 Forbidden