Mercurial > hg

view mercurial/exewrapper.c @ 36756:2ecb0fc535b1 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: always perform permissions checks on protocol commands (BC) (SEC) Previously, the HTTP request handling code would only perform permissions checking on a wire protocol command if that wire protocol command defined its permissions / operation type. This meant that commands (possibly provided by extensions) not defining their operation type would bypass permissions check. This could lead to exfiltration of data from servers and mutating repositories that were supposed to be read-only. This security issue has been present since the permissions table was introduced by d3147b4e3e8a in 2008. This commit changes the behavior of the HTTP server to always perform permissions checking for protocol requests. If an explicit permission for a wire protocol command is not defined, the server assumes the command can be used for writing and governs access accordingly. .. bc:: Wire protocol commands not defining their operation type in ``wireproto.PERMISSIONS`` are now assumed to be used for "push" operations and access control to run those commands is now enforced accordingly.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 18 Feb 2018 17:20:38 -0800
parents 31c6c4d27be7
children aca727359ec5
line wrap: on
line source

/*
 exewrapper.c - wrapper for calling a python script on Windows

 Copyright 2012 Adrian Buehlmann <adrian@cadifra.com> and others

 This software may be used and distributed according to the terms of the
 GNU General Public License version 2 or any later version.
*/

#include <stdio.h>
#include <windows.h>

#include "hgpythonlib.h"

#ifdef __GNUC__
int strcat_s(char *d, size_t n, const char *s)
{
	return !strncat(d, s, n);
}
int strcpy_s(char *d, size_t n, const char *s)
{
	return !strncpy(d, s, n);
}
#endif

static char pyscript[MAX_PATH + 10];
static char pyhome[MAX_PATH + 10];
static char envpyhome[MAX_PATH + 10];
static char pydllfile[MAX_PATH + 10];

int main(int argc, char *argv[])
{
	char *p;
	int ret;
	int i;
	int n;
	char **pyargv;
	WIN32_FIND_DATA fdata;
	HANDLE hfind;
	const char *err;
	HMODULE pydll;
	void(__cdecl * Py_SetPythonHome)(char *home);
	int(__cdecl * Py_Main)(int argc, char *argv[]);

	if (GetModuleFileName(NULL, pyscript, sizeof(pyscript)) == 0) {
		err = "GetModuleFileName failed";
		goto bail;
	}

	p = strrchr(pyscript, '.');
	if (p == NULL) {
		err = "malformed module filename";
		goto bail;
	}
	*p = 0; /* cut trailing ".exe" */
	strcpy_s(pyhome, sizeof(pyhome), pyscript);

	hfind = FindFirstFile(pyscript, &fdata);
	if (hfind != INVALID_HANDLE_VALUE) {
		/* pyscript exists, close handle */
		FindClose(hfind);
	} else {
		/* file pyscript isn't there, take <pyscript>exe.py */
		strcat_s(pyscript, sizeof(pyscript), "exe.py");
	}

	pydll = NULL;

	p = strrchr(pyhome, '\\');
	if (p == NULL) {
		err = "can't find backslash in module filename";
		goto bail;
	}
	*p = 0; /* cut at directory */

	/* check for private Python of HackableMercurial */
	strcat_s(pyhome, sizeof(pyhome), "\\hg-python");

	hfind = FindFirstFile(pyhome, &fdata);
	if (hfind != INVALID_HANDLE_VALUE) {
		/* Path .\hg-python exists. We are probably in HackableMercurial
		scenario, so let's load python dll from this dir. */
		FindClose(hfind);
		strcpy_s(pydllfile, sizeof(pydllfile), pyhome);
		strcat_s(pydllfile, sizeof(pydllfile), "\\" HGPYTHONLIB ".dll");
		pydll = LoadLibrary(pydllfile);
		if (pydll == NULL) {
			err = "failed to load private Python DLL " HGPYTHONLIB
			      ".dll";
			goto bail;
		}
		Py_SetPythonHome =
		    (void *)GetProcAddress(pydll, "Py_SetPythonHome");
		if (Py_SetPythonHome == NULL) {
			err = "failed to get Py_SetPythonHome";
			goto bail;
		}
		Py_SetPythonHome(pyhome);
	}

	if (pydll == NULL) {
		pydll = LoadLibrary(HGPYTHONLIB ".dll");
		if (pydll == NULL) {
			err = "failed to load Python DLL " HGPYTHONLIB ".dll";
			goto bail;
		}
	}

	Py_Main = (void *)GetProcAddress(pydll, "Py_Main");
	if (Py_Main == NULL) {
		err = "failed to get Py_Main";
		goto bail;
	}

	/*
	Only add the pyscript to the args, if it's not already there. It may
	already be there, if the script spawned a child process of itself, in
	the same way as it got called, that is, with the pyscript already in
	place. So we optionally accept the pyscript as the first argument
	(argv[1]), letting our exe taking the role of the python interpreter.
	*/
	if (argc >= 2 && strcmp(argv[1], pyscript) == 0) {
		/*
		pyscript is already in the args, so there is no need to copy
		the args and we can directly call the python interpreter with
		the original args.
		*/
		return Py_Main(argc, argv);
	}

	/*
	Start assembling the args for the Python interpreter call. We put the
	name of our exe (argv[0]) in the position where the python.exe
	canonically is, and insert the pyscript next.
	*/
	pyargv = malloc((argc + 5) * sizeof(char *));
	if (pyargv == NULL) {
		err = "not enough memory";
		goto bail;
	}
	n = 0;
	pyargv[n++] = argv[0];
	pyargv[n++] = pyscript;

	/* copy remaining args from the command line */
	for (i = 1; i < argc; i++)
		pyargv[n++] = argv[i];
	/* argv[argc] is guaranteed to be NULL, so we forward that guarantee */
	pyargv[n] = NULL;

	ret = Py_Main(n, pyargv); /* The Python interpreter call */

	free(pyargv);
	return ret;

bail:
	fprintf(stderr, "abort: %s\n", err);
	return 255;
}