Mercurial > hg

view tests/test-hgweb-csp.t @ 35884:197d10e157ce

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
httppeer: remove support for connecting to <0.9.1 servers (BC) Previously, HTTP wire protocol clients would attempt a "capabilities" wire protocol command. If that failed, they would fall back to issuing a "between" command. The "capabilities" command was added in Mercurial 0.9.1 (released July 2006). The "between" command has been present for as long as the wire protocol has existed. So if the "between" command failed, it was safe to assume that the remote could not speak any version of the Mercurial wire protocol. The "between" fallback was added in 395a84f78736 in 2011. Before that changeset, Mercurial would *always* issue the "between" command and would issue "capabilities" if capabilities were requested. At that time, many connections would issue "capabilities" eventually, so it was decided to issue "capabilities" by default and fall back to "between" if that failed. This saved a round trip when connecting to modern servers while still preserving compatibility with legacy servers. Fast forward ~7 years. Mercurial servers supporting "capabilities" have been around for over a decade. If modern clients are connecting to <0.9.1 servers, they are getting a bad experience. They may even be getting bad data (an old server is vulnerable to numerous security issues and could have been p0wned, leading to a Mercurial repository serving backdoors or other badness). In addition, the fallback can harm experience for modern servers. If a client experiences an intermittent HTTP request failure (due to bad network, etc) and falls back to a "between" that works, it would assume an empty capability set and would attempt to communicate with the repository using a very ancient wire protocol. Auditing HTTP logs for hg.mozilla.org, I did find a handful of requests for the null range of the "between" command. However, requests can be days apart. And when I do see requests, they come in batches. Those batches seem to correlate to spikes of HTTP 500 or other server/network events. So I think these requests are fallbacks from failed "capabilities" requests and not from old clients. If you need even more evidence to discontinue support, apparently we have no test coverage for communicating with servers not supporting "capabilities." I know this because all tests pass with the "between" fallback removed. Finally, server-side support for <0.9.1 pushing (the "addchangegroup" wire protocol command along with locking-related commands) was dropped from the HTTP client in fda0867cfe03 in 2017 and the SSH client in 9f6e0e7ef828 in 2015. I think this all adds up to enough justification for removing client support for communicating with servers not supporting "capabilities." So this commit removes that fallback. Differential Revision: https://phab.mercurial-scm.org/D2001
author Gregory Szorc <gregory.szorc@gmail.com>
date Fri, 02 Feb 2018 13:13:46 -0800
parents 45a816361926
children d105bbb74658
line wrap: on
line source

#require serve

  $ cat > web.conf << EOF
  > [paths]
  > / = $TESTTMP/*
  > EOF

  $ hg init repo1
  $ cd repo1
  $ touch foo
  $ hg -q commit -A -m initial
  $ cd ..

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid >> $DAEMON_PIDS

repo index should not send Content-Security-Policy header by default

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows

static page should not send CSP by default

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows

repo page should not send CSP by default, should send ETag

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  etag: W/"*" (glob)

  $ killdaemons.py

Configure CSP without nonce

  $ cat >> web.conf << EOF
  > [web]
  > csp = script-src https://example.com/ 'unsafe-inline'
  > EOF

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid > $DAEMON_PIDS

repo index should send Content-Security-Policy header when enabled

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

static page should send CSP when enabled

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

repo page should send CSP by default, include etag w/o nonce

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
  etag: W/"*" (glob)

nonce should not be added to html if CSP doesn't use it

  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
  <script type="text/javascript">
  <script type="text/javascript">

Configure CSP with nonce

  $ killdaemons.py
  $ cat >> web.conf << EOF
  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
  > EOF

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid > $DAEMON_PIDS

nonce should be substituted in CSP header

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce should be included in CSP for static pages

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

repo page should have nonce, no ETag

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce should be added to html when used

  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
  <script type="text/javascript" nonce="*"> (glob)
  <script type="text/javascript" nonce="*"> (glob)

hgweb_mod w/o hgwebdir works as expected

  $ killdaemons.py

  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
  $ cat hg.pid > $DAEMON_PIDS

static page sends CSP

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce included in <script> and headers

  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
  <script type="text/javascript" src="/static/mercurial.js"></script>
  <script type="text/javascript" nonce="*"> (glob)
  <script type="text/javascript" nonce="*"> (glob)