Mercurial > hg
view hgeditor @ 31790:62f9679df1f2
hgweb: extract path traversal checking into standalone function
A common exploit in web applications that access paths is to insert
path separator strings like ".." to try to get the server to serve up
files it shouldn't.
We have code for detecting this in staticfile(). A subsequent commit
will need to perform this test as well. Since this is security code,
let's factor the check so we don't have to reinvent the wheel.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Fri, 31 Mar 2017 21:47:26 -0700 |
parents | 1aee2ab0f902 |
children |
line wrap: on
line source
#!/bin/sh # # This is an example of using HGEDITOR to create of diff to review the # changes while committing. # If you want to pass your favourite editor some other parameters # only for Mercurial, modify this: case "${EDITOR}" in "") EDITOR="vi" ;; emacs) EDITOR="$EDITOR -nw" ;; gvim|vim) EDITOR="$EDITOR -f -o" ;; esac HGTMP="" cleanup_exit() { rm -rf "$HGTMP" } # Remove temporary files even if we get interrupted trap "cleanup_exit" 0 # normal exit trap "exit 255" HUP INT QUIT ABRT TERM HGTMP=$(mktemp -d ${TMPDIR-/tmp}/hgeditor.XXXXXX) [ x$HGTMP != x -a -d $HGTMP ] || { echo "Could not create temporary directory! Exiting." 1>&2 exit 1 } ( grep '^HG: changed' "$1" | cut -b 13- | while read changed; do "$HG" diff "$changed" >> "$HGTMP/diff" done ) cat "$1" > "$HGTMP/msg" MD5=$(which md5sum 2>/dev/null) || \ MD5=$(which md5 2>/dev/null) [ -x "${MD5}" ] && CHECKSUM=`${MD5} "$HGTMP/msg"` if [ -s "$HGTMP/diff" ]; then $EDITOR "$HGTMP/msg" "$HGTMP/diff" || exit $? else $EDITOR "$HGTMP/msg" || exit $? fi [ -x "${MD5}" ] && (echo "$CHECKSUM" | ${MD5} -c >/dev/null 2>&1 && exit 13) mv "$HGTMP/msg" "$1" exit $?