changeset 39488:15e8250a82da

hgweb: do not audit URL path as working-directory path Since hgweb is an interface to repository data, we don't need to prohibit any paths conflicting within the filesystem. Still an access to working files is audited by filectx.
author Yuya Nishihara <yuya@tcha.org>
date Sun, 26 Aug 2018 22:18:09 +0900
parents 17ca967e9fca
children 4e4fae1dda5c
files mercurial/hgweb/webutil.py tests/test-hgwebdir.t
diffstat 2 files changed, 8 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/hgweb/webutil.py	Sun Aug 26 22:23:25 2018 +0900
+++ b/mercurial/hgweb/webutil.py	Sun Aug 26 22:18:09 2018 +0900
@@ -320,7 +320,8 @@
 
 def cleanpath(repo, path):
     path = path.lstrip('/')
-    return pathutil.canonpath(repo.root, '', path)
+    auditor = pathutil.pathauditor(repo.root, realfs=False)
+    return pathutil.canonpath(repo.root, '', path, auditor=auditor)
 
 def changectx(repo, req):
     changeid = "tip"
--- a/tests/test-hgwebdir.t	Sun Aug 26 22:23:25 2018 +0900
+++ b/tests/test-hgwebdir.t	Sun Aug 26 22:18:09 2018 +0900
@@ -1231,14 +1231,15 @@
   
   f2
 
-Test accessing file that is shadowed by another repository
+Test accessing file that could be shadowed by another repository if the URL
+path were audited as a working-directory path:
 
   $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/tip/f3/file?style=raw'
-  403 Forbidden
-  
+  200 Script output follows
   
-  error: path 'f3/file' is inside nested repo 'f3'
-  [1]
+  f3/file
+
+Test accessing working-directory file that is shadowed by another repository
 
   $ get-with-headers.py localhost:$HGPORT1 'rcoll/notrepo/f/file/ffffffffffff/f3/file?style=raw'
   403 Forbidden