Mercurial > hg
view tests/test-pull.t @ 36858:01f6bba64424
hgweb: remove support for POST form data (BC)
Previously, we called out to cgi.parse(), which for POST requests
parsed multipart/form-data and application/x-www-form-urlencoded
Content-Type requests for form data, combined it with query string
parameters, returned a union of the values.
As far as I know, nothing in Mercurial actually uses this mechanism
to submit data to the HTTP server. The wire protocol has its own
mechanism for passing parameters. And the web interface only does
GET requests. Removing support for parsing POST data doesn't break
any tests.
Another reason to not like this feature is that cgi.parse() may
modify the QUERY_STRING environment variable as a side-effect.
In addition, it merges both POST data and the query string into
one data structure. This prevents consumers from knowing whether
a variable came from the query string or POST data. That can matter
for some operations.
I suspect we use cgi.parse() because back when this code was
initially implemented, it was the function that was readily
available. In other words, I don't think there was conscious
choice to support POST data: we just got it because cgi.parse()
supported it.
Since nothing uses the feature and it is untested, let's remove
support for parsing POST form data. We can add it back in easily
enough if we need it in the future.
.. bc::
Hgweb no longer reads form data in POST requests from
multipart/form-data and application/x-www-form-urlencoded
requests. Arguments should be specified as URL path components
or in the query string in the URL instead.
Differential Revision: https://phab.mercurial-scm.org/D2774
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sat, 10 Mar 2018 11:07:53 -0800 |
| parents | 1ee1a42bfdae |
| children | 6639ac97ec3b |
line wrap: on
line source
#require serve #testcases sshv1 sshv2 #if sshv2 $ cat >> $HGRCPATH << EOF > [experimental] > sshpeer.advertise-v2 = true > sshserver.support-v2 = true > EOF #endif $ hg init test $ cd test $ echo foo>foo $ hg addremove adding foo $ hg commit -m 1 $ hg verify checking changesets checking manifests crosschecking files in changesets and manifests checking files 1 files, 1 changesets, 1 total revisions $ hg serve -p $HGPORT -d --pid-file=hg.pid $ cat hg.pid >> $DAEMON_PIDS $ cd .. $ hg clone --pull http://foo:bar@localhost:$HGPORT/ copy requesting all changes adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files new changesets 340e38bdcde4 updating to branch default 1 files updated, 0 files merged, 0 files removed, 0 files unresolved $ cd copy $ hg verify checking changesets checking manifests crosschecking files in changesets and manifests checking files 1 files, 1 changesets, 1 total revisions $ hg co 0 files updated, 0 files merged, 0 files removed, 0 files unresolved $ cat foo foo $ hg manifest --debug 2ed2a3912a0b24502043eae84ee4b279c18b90dd 644 foo $ hg pull pulling from http://foo@localhost:$HGPORT/ searching for changes no changes found $ hg rollback --dry-run --verbose repository tip rolled back to revision -1 (undo pull: http://foo:***@localhost:$HGPORT/) Test pull of non-existing 20 character revision specification, making sure plain ascii identifiers not are encoded like a node: $ hg pull -r 'xxxxxxxxxxxxxxxxxxxy' pulling from http://foo@localhost:$HGPORT/ abort: unknown revision 'xxxxxxxxxxxxxxxxxxxy'! [255] $ hg pull -r 'xxxxxxxxxxxxxxxxxx y' pulling from http://foo@localhost:$HGPORT/ abort: unknown revision '7878787878787878787878787878787878782079'! [255] Issue622: hg init && hg pull -u URL doesn't checkout default branch $ cd .. $ hg init empty $ cd empty $ hg pull -u ../test pulling from ../test requesting all changes adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files new changesets 340e38bdcde4 1 files updated, 0 files merged, 0 files removed, 0 files unresolved Test 'file:' uri handling: $ hg pull -q file://../test-does-not-exist abort: file:// URLs can only refer to localhost [255] $ hg pull -q file://../test abort: file:// URLs can only refer to localhost [255] MSYS changes 'file:' into 'file;' #if no-msys $ hg pull -q file:../test # no-msys #endif It's tricky to make file:// URLs working on every platform with regular shell commands. $ URL=`$PYTHON -c "import os; print 'file://foobar' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"` $ hg pull -q "$URL" abort: file:// URLs can only refer to localhost [255] $ URL=`$PYTHON -c "import os; print 'file://localhost' + ('/' + os.getcwd().replace(os.sep, '/')).replace('//', '/') + '/../test'"` $ hg pull -q "$URL" SEC: check for unsafe ssh url $ cat >> $HGRCPATH << EOF > [ui] > ssh = sh -c "read l; read l; read l" > EOF $ hg pull 'ssh://-oProxyCommand=touch${IFS}owned/path' pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' [255] $ hg pull 'ssh://%2DoProxyCommand=touch${IFS}owned/path' pulling from ssh://-oProxyCommand%3Dtouch%24%7BIFS%7Downed/path abort: potentially unsafe url: 'ssh://-oProxyCommand=touch${IFS}owned/path' [255] $ hg pull 'ssh://fakehost|touch${IFS}owned/path' pulling from ssh://fakehost%7Ctouch%24%7BIFS%7Downed/path abort: no suitable response from remote hg! [255] $ hg pull 'ssh://fakehost%7Ctouch%20owned/path' pulling from ssh://fakehost%7Ctouch%20owned/path abort: no suitable response from remote hg! [255] $ [ ! -f owned ] || echo 'you got owned' $ cd ..