Mercurial > hg
view tests/test-trusted.py.out @ 40056:324b4b10351e
revlog: rewrite censoring logic
I was able to corrupt a revlog relatively easily with the existing
censoring code. The underlying problem is that the existing code
doesn't fully take delta chains into account. When copying revisions
that occur after the censored revision, the delta base can refer
to a censored revision. Then at read time, things blow up due to the
revision data not being a compressed delta.
This commit rewrites the revlog censoring code to take a higher-level
approach. We now create a new revlog instance pointing at temp files.
We iterate through each revision in the source revlog and insert
those revisions into the new revlog, replacing the censored revision's
data along the way.
The new implementation isn't as efficient as the old one. This is
because it will fully engage delta computation on insertion. But I
don't think it matters.
The new implementation is a bit hacky because it attempts to reload
the revlog instance with a new revlog index/data file. This is fragile.
But this is needed because the index (which could be backed by C) would
have a cached copy of the old, possibly changed data and that could
lead to problems accessing index or revision data later.
One benefit of the new approach is that we integrate with the
transaction. The old revlog is backed up and if the transaction is
rolled back, the original revlog is restored.
As part of this, we had to teach the transaction about the store
vfs. I'm not super keen about this. But this was the easiest way
to hook things up to the transaction. We /could/ just ignore the
transaction like we were doing before. But any file mutation should
be governed by transaction semantics, including undo during rollback.
Differential Revision: https://phab.mercurial-scm.org/D4869
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Tue, 02 Oct 2018 17:34:34 -0700 |
| parents | 75e4bae56068 |
| children | 73ccba60aaa1 |
line wrap: on
line source
# same user, same group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # same user, different group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # different user, same group not trusting file .hg/hgrc from untrusted user abc, group bar trusted global = /some/path untrusted . . global = /some/path . . local = /another/path # different user, same group, but we trust the group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def trusted global = /some/path untrusted . . global = /some/path . . local = /another/path # different user, different group, but we trust the user trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # different user, different group, but we trust the group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # different user, different group, but we trust the user and the group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # we trust all users # different user, different group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # we trust all groups # different user, different group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # we trust all users and groups # different user, different group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # we don't get confused by users and groups with the same name # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def trusted global = /some/path untrusted . . global = /some/path . . local = /another/path # list of user names # different user, different group, but we trust the user trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # list of group names # different user, different group, but we trust the group trusted global = /some/path local = /another/path untrusted . . global = /some/path . . local = /another/path # Can't figure out the name of the user running this process # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def trusted global = /some/path untrusted . . global = /some/path . . local = /another/path # prints debug warnings # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def trusted ignoring untrusted configuration option paths.local = /another/path global = /some/path untrusted . . global = /some/path . ignoring untrusted configuration option paths.local = /another/path . local = /another/path # report_untrusted enabled without debug hides warnings # different user, different group trusted global = /some/path untrusted . . global = /some/path . . local = /another/path # report_untrusted enabled with debug shows warnings # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def trusted ignoring untrusted configuration option paths.local = /another/path global = /some/path untrusted . . global = /some/path . ignoring untrusted configuration option paths.local = /another/path . local = /another/path # ui.readconfig sections quux # read trusted, untrusted, new ui, trusted not trusting file foobar from untrusted user abc, group def trusted: ignoring untrusted configuration option foobar.baz = quux None untrusted: quux # error handling # file doesn't exist # same user, same group # different user, different group # parse error # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def ('foo', '.hg/hgrc:1') # same user, same group ('foo', '.hg/hgrc:1') # access typed information # different user, different group not trusting file .hg/hgrc from untrusted user abc, group def # suboptions, trusted and untrusted (None, []) ('main', [('one', 'one'), ('two', 'two')]) # path, trusted and untrusted None .hg/monty/python # bool, trusted and untrusted False True # int, trusted and untrusted 0 42 # bytes, trusted and untrusted 0 84934656 # list, trusted and untrusted [] ['spam', 'ham', 'eggs']