hgweb: do not audit URL path as working-directory path
Since hgweb is an interface to repository data, we don't need to prohibit
any paths conflicting within the filesystem. Still an access to working
files is audited by filectx.
--- a/mercurial/hgweb/webutil.py Sun Aug 26 22:23:25 2018 +0900
+++ b/mercurial/hgweb/webutil.py Sun Aug 26 22:18:09 2018 +0900
@@ -320,7 +320,8 @@
def cleanpath(repo, path):
path = path.lstrip('/')
- return pathutil.canonpath(repo.root, '', path)
+ auditor = pathutil.pathauditor(repo.root, realfs=False)
+ return pathutil.canonpath(repo.root, '', path, auditor=auditor)
def changectx(repo, req):
changeid = "tip"
--- a/tests/test-hgwebdir.t Sun Aug 26 22:23:25 2018 +0900
+++ b/tests/test-hgwebdir.t Sun Aug 26 22:18:09 2018 +0900
@@ -1231,14 +1231,15 @@
f2
-Test accessing file that is shadowed by another repository
+Test accessing file that could be shadowed by another repository if the URL
+path were audited as a working-directory path:
$ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw'
- 403 Forbidden
-
+ 200 Script output follows
- error: path 'f3/file' is inside nested repo 'f3'
- [1]
+ f3/file
+
+Test accessing working-directory file that is shadowed by another repository
$ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw'
403 Forbidden