Mercurial > hg
diff mercurial/hgweb/protocol.py @ 29788:b1809f5d7630
hgweb: document why we don't allow untrusted settings to control zlib
Added comment per discussion on mercurial-devel.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Mon, 15 Aug 2016 20:39:33 -0700 |
| parents | 5e2365698d44 |
| children | 58467204cac0 |
line wrap: on
line diff
--- a/mercurial/hgweb/protocol.py Sun Aug 14 18:37:24 2016 -0700 +++ b/mercurial/hgweb/protocol.py Mon Aug 15 20:39:33 2016 -0700 @@ -74,6 +74,9 @@ self.ui.ferr, self.ui.fout = self.oldio return val def groupchunks(self, cg): + # Don't allow untrusted settings because disabling compression or + # setting a very high compression level could lead to flooding + # the server's network or CPU. z = zlib.compressobj(self.ui.configint('server', 'zliblevel', -1)) while True: chunk = cg.read(4096)