Mercurial > hg
view hg @ 31790:62f9679df1f2
hgweb: extract path traversal checking into standalone function
A common exploit in web applications that access paths is to insert
path separator strings like ".." to try to get the server to serve up
files it shouldn't.
We have code for detecting this in staticfile(). A subsequent commit
will need to perform this test as well. Since this is security code,
let's factor the check so we don't have to reinvent the wheel.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Fri, 31 Mar 2017 21:47:26 -0700 |
parents | 1f5052d35b30 |
children | b4810bf95c03 |
line wrap: on
line source
#!/usr/bin/env python # # mercurial - scalable distributed SCM # # Copyright 2005-2007 Matt Mackall <mpm@selenic.com> # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. import os import sys if os.environ.get('HGUNICODEPEDANTRY', False): try: reload(sys) sys.setdefaultencoding("undefined") except NameError: pass libdir = '@LIBDIR@' if libdir != '@' 'LIBDIR' '@': if not os.path.isabs(libdir): libdir = os.path.join(os.path.dirname(os.path.realpath(__file__)), libdir) libdir = os.path.abspath(libdir) sys.path.insert(0, libdir) # enable importing on demand to reduce startup time try: if sys.version_info[0] < 3: from mercurial import demandimport; demandimport.enable() except ImportError: sys.stderr.write("abort: couldn't find mercurial libraries in [%s]\n" % ' '.join(sys.path)) sys.stderr.write("(check your install and PYTHONPATH)\n") sys.exit(-1) import mercurial.util import mercurial.dispatch for fp in (sys.stdin, sys.stdout, sys.stderr): mercurial.util.setbinary(fp) mercurial.dispatch.run()