context: use a the nofsauditor when matching file in history (issue4749) Before this change, asking for file from history (eg: 'hg cat -r 42 foo/bar') could fail because of the current content of the working copy (eg: current "foo" being a symlink). As the working copy state have no influence on the content of the history, we can safely skip these checks. The working copy context class have a different 'match' implementation. That implementation still use the repo.auditor will still catch symlink traversal. I've audited all stuff calling "match" and they all go through a ctx in a sensible way. The most unclear case was diff which still seemed okay. You raised my paranoid level today and I double checked through tests. They behave properly. The odds of someone using the wrong (matching with a changectx for operation that will eventually touch the file system) is non-zero because you are never sure of what people will do. But I dunno if we can fight against that. So I would not commit to "never" for "at this level" and "in the future" if someone write especially bad code. However, as a last defense, the vfs itself is running path auditor in all cases outside of .hg/. So I think anything passing the 'matcher' for buggy reason would growl at the vfs layer.

localrepo: add a second auditor without file system check Auditors keeps a cache of audited paths. Therefore we cannot use the same auditor for working copy and history operation. We create a new one without file system check for this purposes.

pathauditor: add a way to skip file system check We need to be able to skip it when looking at data within the history. Doing them in all cases leads to buggy behavior like issue4749.

pathauditor: move file system specific check in their own function This will make it easy to disable that part when not relevant (eg: auditing filename for operation in history)