Mercurial > hg
view tests/test-http-api.t @ 41457:6c10eba6b9cd stable
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.
os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Tue, 08 Jan 2019 22:07:45 +0900 |
parents | 41263df08109 |
children | f790a4e78e97 |
line wrap: on
line source
#require no-chg $ send() { > hg --verbose debugwireproto --peer raw http://$LOCALIP:$HGPORT/ > } $ hg init server $ hg -R server serve -p $HGPORT -d --pid-file hg.pid $ cat hg.pid > $DAEMON_PIDS Request to /api fails unless web.apiserver is enabled $ get-with-headers.py $LOCALIP:$HGPORT api 400 no such method: api <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"> <head> <link rel="icon" href="/static/hgicon.png" type="image/png" /> <meta name="robots" content="index, nofollow" /> <link rel="stylesheet" href="/static/style-paper.css" type="text/css" /> <script type="text/javascript" src="/static/mercurial.js"></script> <title>$TESTTMP/server: error</title> </head> <body> <div class="container"> <div class="menu"> <div class="logo"> <a href="https://mercurial-scm.org/"> <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a> </div> <ul> <li><a href="/shortlog">log</a></li> <li><a href="/graph">graph</a></li> <li><a href="/tags">tags</a></li> <li><a href="/bookmarks">bookmarks</a></li> <li><a href="/branches">branches</a></li> </ul> <ul> <li><a href="/help">help</a></li> </ul> </div> <div class="main"> <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2> <h3>error</h3> <form class="search" action="/log"> <p><input name="rev" id="search1" type="text" size="30" value="" /></p> <div id="hint">Find changesets by keywords (author, files, the commit message), revision number or hash, or <a href="/help/revsets">revset expression</a>.</div> </form> <div class="description"> <p> An error occurred while processing your request: </p> <p> no such method: api </p> </div> </div> </div> </body> </html> [1] $ get-with-headers.py $LOCALIP:$HGPORT api/ 400 no such method: api <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"> <head> <link rel="icon" href="/static/hgicon.png" type="image/png" /> <meta name="robots" content="index, nofollow" /> <link rel="stylesheet" href="/static/style-paper.css" type="text/css" /> <script type="text/javascript" src="/static/mercurial.js"></script> <title>$TESTTMP/server: error</title> </head> <body> <div class="container"> <div class="menu"> <div class="logo"> <a href="https://mercurial-scm.org/"> <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a> </div> <ul> <li><a href="/shortlog">log</a></li> <li><a href="/graph">graph</a></li> <li><a href="/tags">tags</a></li> <li><a href="/bookmarks">bookmarks</a></li> <li><a href="/branches">branches</a></li> </ul> <ul> <li><a href="/help">help</a></li> </ul> </div> <div class="main"> <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2> <h3>error</h3> <form class="search" action="/log"> <p><input name="rev" id="search1" type="text" size="30" value="" /></p> <div id="hint">Find changesets by keywords (author, files, the commit message), revision number or hash, or <a href="/help/revsets">revset expression</a>.</div> </form> <div class="description"> <p> An error occurred while processing your request: </p> <p> no such method: api </p> </div> </div> </div> </body> </html> [1] Restart server with support for API server $ killdaemons.py $ cat > server/.hg/hgrc << EOF > [experimental] > web.apiserver = true > EOF $ hg -R server serve -p $HGPORT -d --pid-file hg.pid $ cat hg.pid > $DAEMON_PIDS /api lists available APIs (empty since none are available by default) $ send << EOF > httprequest GET api > user-agent: test > EOF using raw connection to peer s> GET /api HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 100\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> (no available APIs)\n $ send << EOF > httprequest GET api/ > user-agent: test > EOF using raw connection to peer s> GET /api/ HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 100\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> (no available APIs)\n Accessing an unknown API yields a 404 $ send << EOF > httprequest GET api/unknown > user-agent: test > EOF using raw connection to peer s> GET /api/unknown HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 404 Not Found\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 33\r\n s> \r\n s> Unknown API: unknown\n s> Known APIs: Accessing a known but not enabled API yields a different error $ send << EOF > httprequest GET api/exp-http-v2-0003 > user-agent: test > EOF using raw connection to peer s> GET /api/exp-http-v2-0003 HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 404 Not Found\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 33\r\n s> \r\n s> API exp-http-v2-0003 not enabled\n Restart server with support for HTTP v2 API $ killdaemons.py $ cat > server/.hg/hgrc << EOF > [experimental] > web.apiserver = true > web.api.http-v2 = true > EOF $ hg -R server serve -p $HGPORT -d --pid-file hg.pid $ cat hg.pid > $DAEMON_PIDS /api lists the HTTP v2 protocol as available $ send << EOF > httprequest GET api > user-agent: test > EOF using raw connection to peer s> GET /api HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 96\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> exp-http-v2-0003 $ send << EOF > httprequest GET api/ > user-agent: test > EOF using raw connection to peer s> GET /api/ HTTP/1.1\r\n s> Accept-Encoding: identity\r\n s> user-agent: test\r\n s> host: $LOCALIP:$HGPORT\r\n (glob) s> \r\n s> makefile('rb', None) s> HTTP/1.1 200 OK\r\n s> Server: testing stub value\r\n s> Date: $HTTP_DATE$\r\n s> Content-Type: text/plain\r\n s> Content-Length: 96\r\n s> \r\n s> APIs can be accessed at /api/<name>, where <name> can be one of the following:\n s> \n s> exp-http-v2-0003