Mercurial > hg-stable
changeset 5963:5be210afe1b8
hgweb: explicitly check if requested command exists
author | Dirkjan Ochtman <dirkjan@ochtman.nl> |
---|---|
date | Mon, 28 Jan 2008 14:58:03 +0100 |
parents | 0011316fbe0e |
children | 1cd1582ef25f |
files | mercurial/hgweb/hgweb_mod.py mercurial/hgweb/protocol.py mercurial/hgweb/webcommands.py |
diffstat | 3 files changed, 21 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/hgweb/hgweb_mod.py Mon Jan 28 13:42:40 2008 +0100 +++ b/mercurial/hgweb/hgweb_mod.py Mon Jan 28 14:58:03 2008 +0100 @@ -202,17 +202,18 @@ try: cmd = req.form.get('cmd', [''])[0] - if hasattr(protocol, cmd): + if cmd in protocol.__all__: method = getattr(protocol, cmd) method(self, req) else: - tmpl = self.templater(req) if cmd == '': req.form['cmd'] = [tmpl.cache['default']] cmd = req.form['cmd'][0] - if cmd == 'file' and 'raw' in req.form.get('style', []): + if cmd not in webcommands.__all__: + raise ErrorResponse(400, 'No such method: ' + cmd) + elif cmd == 'file' and 'raw' in req.form.get('style', []): webcommands.rawfile(self, req, tmpl) else: getattr(webcommands, cmd)(self, req, tmpl) @@ -227,8 +228,6 @@ tmpl('error', error=str(inst))) except ErrorResponse, inst: req.respond(inst.code, tmpl('error', error=inst.message)) - except AttributeError: - req.respond(400, tmpl('error', error='No such method: ' + cmd)) def templater(self, req):
--- a/mercurial/hgweb/protocol.py Mon Jan 28 13:42:40 2008 +0100 +++ b/mercurial/hgweb/protocol.py Mon Jan 28 14:58:03 2008 +0100 @@ -10,6 +10,14 @@ from mercurial.i18n import gettext as _ from mercurial.node import * +# __all__ is populated with the allowed commands. Be sure to add to it if +# you're adding a new command, or the new command won't work. + +__all__ = [ + 'lookup', 'heads', 'branches', 'between', 'changegroup', + 'changegroupsubset', 'capabilities', 'unbundle', 'stream_out', +] + def lookup(web, req): try: r = hex(web.repo.lookup(req.form['key'][0]))
--- a/mercurial/hgweb/webcommands.py Mon Jan 28 13:42:40 2008 +0100 +++ b/mercurial/hgweb/webcommands.py Mon Jan 28 14:58:03 2008 +0100 @@ -9,6 +9,15 @@ from mercurial import revlog, util, hg from common import staticfile, ErrorResponse +# __all__ is populated with the allowed commands. Be sure to add to it if +# you're adding a new command, or the new command won't work. + +__all__ = [ + 'log', 'rawfile', 'file', 'changelog', 'shortlog', 'changeset', 'rev', + 'manifest', 'tags', 'summary', 'filediff', 'diff', 'annotate', 'filelog', + 'archive', 'static', +] + def log(web, req, tmpl): if 'file' in req.form and req.form['file'][0]: filelog(web, req, tmpl)