Mercurial > hg
comparison mercurial/hgweb/protocol.py @ 6335:e29557d687c9
hgweb: only accept POST requests for unbundle
| author | Dirkjan Ochtman <dirkjan@ochtman.nl> |
|---|---|
| date | Fri, 21 Mar 2008 00:55:53 +0100 |
| parents | be76e54570f0 |
| children | 8542fac26f63 |
comparison
equal
deleted
inserted
replaced
| 6334:7016f7fb8fe3 | 6335:e29557d687c9 |
|---|---|
| 104 resp = ' '.join(web.capabilities()) | 104 resp = ' '.join(web.capabilities()) |
| 105 req.respond(HTTP_OK, HGTYPE, length=len(resp)) | 105 req.respond(HTTP_OK, HGTYPE, length=len(resp)) |
| 106 req.write(resp) | 106 req.write(resp) |
| 107 | 107 |
| 108 def unbundle(web, req): | 108 def unbundle(web, req): |
| 109 | |
| 109 def bail(response, headers={}): | 110 def bail(response, headers={}): |
| 110 length = int(req.env['CONTENT_LENGTH']) | 111 length = int(req.env.get('CONTENT_LENGTH', 0)) |
| 111 for s in util.filechunkiter(req, limit=length): | 112 for s in util.filechunkiter(req, limit=length): |
| 112 # drain incoming bundle, else client will not see | 113 # drain incoming bundle, else client will not see |
| 113 # response when run outside cgi script | 114 # response when run outside cgi script |
| 114 pass | 115 pass |
| 116 | |
| 117 status = headers.pop('status', HTTP_OK) | |
| 115 req.header(headers.items()) | 118 req.header(headers.items()) |
| 116 req.respond(HTTP_OK, HGTYPE) | 119 req.respond(status, HGTYPE) |
| 117 req.write('0\n') | 120 req.write('0\n') |
| 118 req.write(response) | 121 req.write(response) |
| 122 | |
| 123 # enforce that you can only unbundle with POST requests | |
| 124 if req.env['REQUEST_METHOD'] != 'POST': | |
| 125 headers = {'status': '405 Method Not Allowed'} | |
| 126 bail('unbundle requires POST request\n', headers) | |
| 127 return | |
| 119 | 128 |
| 120 # require ssl by default, auth info cannot be sniffed and | 129 # require ssl by default, auth info cannot be sniffed and |
| 121 # replayed | 130 # replayed |
| 122 ssl_req = web.configbool('web', 'push_ssl', True) | 131 ssl_req = web.configbool('web', 'push_ssl', True) |
| 123 if ssl_req: | 132 if ssl_req: |
| 128 else: | 137 else: |
| 129 proto = 'http' | 138 proto = 'http' |
| 130 | 139 |
| 131 # do not allow push unless explicitly allowed | 140 # do not allow push unless explicitly allowed |
| 132 if not web.check_perm(req, 'push', False): | 141 if not web.check_perm(req, 'push', False): |
| 133 bail('push not authorized\n', | 142 bail('push not authorized\n', headers={'status': '401 Unauthorized'}) |
| 134 headers={'status': '401 Unauthorized'}) | |
| 135 return | 143 return |
| 136 | 144 |
| 137 their_heads = req.form['heads'][0].split(' ') | 145 their_heads = req.form['heads'][0].split(' ') |
| 138 | 146 |
| 139 def check_heads(): | 147 def check_heads(): |