Mercurial > hg-stable
changeset 30850:41e31a6f5296 stable
revset: prevent using outgoing() and remote() in hgweb session (BC)
outgoing() and remote() may stall for long due to network I/O, which seems
unsafe per definition, "whether a predicate is safe for DoS attack." But I'm
not 100% sure about this. If our concern isn't elapsed time but CPU resource,
these predicates are considered safe. Perhaps that would be up to the
web/application server configuration?
Anyway, outgoing() and remote() wouldn't be useful in hgweb, so I think
it's okay to ban them.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Fri, 20 Jan 2017 21:33:18 +0900 |
parents | 763031a7690d |
children | 7bfe02b57695 |
files | mercurial/revset.py |
diffstat | 1 files changed, 2 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/revset.py Thu Jan 19 16:23:49 2017 -0500 +++ b/mercurial/revset.py Fri Jan 20 21:33:18 2017 +0900 @@ -1546,7 +1546,7 @@ # some optimizations from the fact this is a baseset. return subset & o -@predicate('outgoing([path])', safe=True) +@predicate('outgoing([path])', safe=False) def outgoing(repo, subset, x): """Changesets not found in the specified destination repository, or the default push location. @@ -1737,7 +1737,7 @@ return subset.filter(condition, condrepr=('<phase %r>', target), cache=False) -@predicate('remote([id [,path]])', safe=True) +@predicate('remote([id [,path]])', safe=False) def remote(repo, subset, x): """Local revision that corresponds to the given identifier in a remote repository, if present. Here, the '.' identifier is a