Mercurial > hg
view tests/test-http-api.t @ 38935:27a54096c92e
linelog: fix infinite loop vulnerability
Checking `len(lines)` is not a great way of detecting infinite loops, as
demonstrated in the added test. Therefore check instruction count instead.
The original C implementation does not have this problem. There are a few
other places where the C implementation enforces more strictly, like
`a1 <= a2`, `b1 <= b2`, `rev > 0`. But they are optional.
Test Plan:
Add a test. The old code forces the test to time out.
Differential Revision: https://phab.mercurial-scm.org/D4151
author | Jun Wu <quark@fb.com> |
---|---|
date | Mon, 06 Aug 2018 22:24:00 -0700 |
parents | 538e850ae737 |
children | d059cb669632 |
line wrap: on
line source
#require no-chg $ send() { > hg --verbose debugwireproto --peer raw http://$LOCALIP:$HGPORT/ > } $ hg init server $ hg -R server serve -p $HGPORT -d --pid-file hg.pid $ cat hg.pid > $DAEMON_PIDS Request to /api fails unless web.apiserver is enabled $ get-with-headers.py $LOCALIP:$HGPORT api 400 no such method: api <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"> <head> <link rel="icon" href="/static/hgicon.png" type="image/png" /> <meta name="robots" content="index, nofollow" /> <link rel="stylesheet" href="/static/style-paper.css" type="text/css" /> <script type="text/javascript" src="/static/mercurial.js"></script> <title>$TESTTMP/server: error</title> </head> <body> <div class="container"> <div class="menu"> <div class="logo"> <a href="https://mercurial-scm.org/"> <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a> </div> <ul> <li><a href="/shortlog">log</a></li> <li><a href="/graph">graph</a></li> <li><a href="/tags">tags</a></li> <li><a href="/bookmarks">bookmarks</a></li> <li><a href="/branches">branches</a></li> </ul> <ul> <li><a href="/help">help</a></li> </ul> </div> <div class="main"> <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2> <h3>error</h3> <form class="search" action="/log"> <p><input name="rev" id="search1" type="text" size="30" value="" /></p> <div id="hint">Find changesets by keywords (author, files, the commit message), revision number or hash, or <a href="/help/revsets">revset expression</a>.</div> </form> <div class="description"> <p> An error occurred while processing your request: </p> <p> no such method: api </p> </div> </div> </div> </body> </html> [1] $ get-with-headers.py $LOCALIP:$HGPORT api/ 400 no such method: api <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"> <head> <link rel="icon" href="/static/hgicon.png" type="image/png" /> <meta name="robots" content="index, nofollow" /> <link rel="stylesheet" href="/static/style-paper.css" type="text/css" /> <script type="text/javascript" src="/static/mercurial.js"></script> <title>$TESTTMP/server: error</title> </head> <body> <div class="container"> <div class="menu"> <div class="logo"> <a href="https://mercurial-scm.org/"> <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a> </div> <ul> <li><a href="/shortlog">log</a></li> <li><a href="/graph">graph</a></li> <li><a href="/tags">tags</a></li> <li><a href="/bookmarks">bookmarks</a></li> <li><a href="/branches">branches</a></li> </ul> <ul> <li><a href="/help">help</a></li> </ul> </div> <div class="main"> <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2> <h3>error</h3> <form class="search" action="/log"> <p><input name="rev" id="search1" type="text" size="30" value="" /></p> <div id="hint">Find changesets by keywords (author, files, the commit message), revision number or hash, or <a href="/help/revsets">revset expression</a>.</div> </form> <div class="description"> <p> An error occurred while processing your request: </p> <p> no such method: api </p> </div> </div> </div> </body> </html> [1] Restart server with support for API server $ killdaemons.py $ cat > server/.hg/hgrc << EOF > [experimental] > web.apiserver = true > EOF $ hg -R server serve -p $HGPORT -d --pid-file hg.pid $ cat hg.pid > $DAEMON_PIDS /api lists available APIs (empty since none are available by default) $ send << EOF > httprequest GET api > user-agent: test > EOF using raw connection to peer s> GET /api HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 100\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> (no available APIs)\n $ send << EOF > httprequest GET api/ > user-agent: test > EOF using raw connection to peer s> GET /api/ HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 100\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> (no available APIs)\n Accessing an unknown API yields a 404 $ send << EOF > httprequest GET api/unknown > user-agent: test > EOF using raw connection to peer s> GET /api/unknown HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 404 Not Found\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 33\r\n s> \r\n s> Unknown API: unknown\n s> Known APIs: Accessing a known but not enabled API yields a different error $ send << EOF > httprequest GET api/exp-http-v2-0001 > user-agent: test > EOF using raw connection to peer s> GET /api/exp-http-v2-0001 HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 404 Not Found\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 33\r\n s> \r\n s> API exp-http-v2-0001 not enabled\n Restart server with support for HTTP v2 API $ killdaemons.py $ cat > server/.hg/hgrc << EOF > [experimental] > web.apiserver = true > web.api.http-v2 = true > EOF $ hg -R server serve -p $HGPORT -d --pid-file hg.pid $ cat hg.pid > $DAEMON_PIDS /api lists the HTTP v2 protocol as available $ send << EOF > httprequest GET api > user-agent: test > EOF using raw connection to peer s> GET /api HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 96\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> exp-http-v2-0001 $ send << EOF > httprequest GET api/ > user-agent: test > EOF using raw connection to peer s> GET /api/ HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 96\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> exp-http-v2-0001