Mercurial > hg
view contrib/hgweb.wsgi @ 41457:6c10eba6b9cd stable
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.
os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Tue, 08 Jan 2019 22:07:45 +0900 |
| parents | 4b0fc75f9403 |
| children | d58a205d0672 |
line wrap: on
line source
# An example WSGI for use with mod_wsgi, edit as necessary # See https://mercurial-scm.org/wiki/modwsgi for more information # Path to repo or hgweb config to serve (see 'hg help hgweb') config = "/path/to/repo/or/config" # Uncomment and adjust if Mercurial is not installed system-wide # (consult "installed modules" path from 'hg debuginstall'): #import sys; sys.path.insert(0, "/path/to/python/lib") # Uncomment to send python tracebacks to the browser if an error occurs: #import cgitb; cgitb.enable() # enable demandloading to reduce startup time from mercurial import demandimport; demandimport.enable() from mercurial.hgweb import hgweb application = hgweb(config)