Clean up paths passed to hgweb
authorMatt Mackall <mpm@selenic.com>
Sun, 29 Jan 2006 09:10:13 +1300
changeset 1646 8e9c203946ae
parent 1645 c6ffedc4f11b
child 1647 64a1169c927d
Clean up paths passed to hgweb (spotted by Peter van Dijk)
mercurial/hgweb.py
--- a/mercurial/hgweb.py	Sun Jan 29 08:38:31 2006 +1300
+++ b/mercurial/hgweb.py	Sun Jan 29 09:10:13 2006 +1300
@@ -801,6 +801,12 @@
     # find tag, changeset, file
 
     def run(self, req=hgrequest()):
+        def clean(path):
+            p = os.path.normpath(path)
+            if p[:2] == "..":
+                raise "suspicious path"
+            return p
+
         def header(**map):
             yield self.t("header", **map)
 
@@ -881,7 +887,8 @@
             req.write(self.changeset(req.form['node'][0]))
 
         elif req.form['cmd'][0] == 'manifest':
-            req.write(self.manifest(req.form['manifest'][0], req.form['path'][0]))
+            req.write(self.manifest(req.form['manifest'][0],
+                                    clean(req.form['path'][0])))
 
         elif req.form['cmd'][0] == 'tags':
             req.write(self.tags())
@@ -890,16 +897,20 @@
             req.write(self.summary())
 
         elif req.form['cmd'][0] == 'filediff':
-            req.write(self.filediff(req.form['file'][0], req.form['node'][0]))
+            req.write(self.filediff(clean(req.form['file'][0]),
+                                    req.form['node'][0]))
 
         elif req.form['cmd'][0] == 'file':
-            req.write(self.filerevision(req.form['file'][0], req.form['filenode'][0]))
+            req.write(self.filerevision(clean(req.form['file'][0]),
+                                        req.form['filenode'][0]))
 
         elif req.form['cmd'][0] == 'annotate':
-            req.write(self.fileannotate(req.form['file'][0], req.form['filenode'][0]))
+            req.write(self.fileannotate(clean(req.form['file'][0]),
+                                        req.form['filenode'][0]))
 
         elif req.form['cmd'][0] == 'filelog':
-            req.write(self.filelog(req.form['file'][0], req.form['filenode'][0]))
+            req.write(self.filelog(clean(req.form['file'][0]),
+                                   req.form['filenode'][0]))
 
         elif req.form['cmd'][0] == 'heads':
             req.httphdr("application/mercurial-0.1")