wireproto: move command permissions dict out of hgweb_mod The operation type associated with wire protocol commands is supposed to be defined in a dictionary so it can be used for permissions checking. Since this metadata is closely associated with wire protocol commands themselves, it makes sense to define it in the same module where wire protocol commands are defined. This commit moves hgweb_mod.perms to wireproto.PERMISSIONS and updates most references in the code to use the new home. The old symbol remains an alias for the new symbol. Tests pass with the code pointing at the old symbol. So this should be API compatible for extensions. As part of the code move, we split up the assignment to the dict so it is next to the @wireprotocommand. This reinforces that a @wireprotocommand should have an entry in this dict. In the future, we'll want to declare permissions as part of the @wireprotocommand decorator. But this isn't appropriate for the stable branch.

tests: comprehensively test HTTP server permissions checking We didn't have test coverage for numerous web.* config options. We add that test coverage. Included in the tests are tests for custom commands. We have commands that are supposedly read-only and perform writes and a variation of each that does and does not define its operation type in hgweb_mod.perms. The tests reveal a handful of security bugs related to permissions checking. Subsequent commits will address these security bugs.

tests: extract HTTP permissions tests to own test file We're about to implement a lot more coverage of the permissions mechanism. In preparation for that, establish a new test file to hold permissions checks. As part of this, we inline the important parts of the "req" helper function.

Added signature for changeset 369aadf7a326

Added tag 4.5.1 for changeset 369aadf7a326

revlog: resolve lfs rawtext to vanilla rawtext before applying delta This happens when a LFS delta base gets a non-LFS delta from another client. In that case, the LFS delta base needs to be converted to non-LFS version before applying the delta. Differential Revision: https://phab.mercurial-scm.org/D2069

sslutil: some more forcebytes() on some exception messages At this point, test-https.t no longer dumps tracebacks everywhere. Instead, we get some results that look like we're not adequately finding things in hg's configuration, which should be manageable (if somewhat annoying to find and fix.) Differential Revision: https://phab.mercurial-scm.org/D2690

sslutil: sslcontext needs the cipher name as a sysstr Differential Revision: https://phab.mercurial-scm.org/D2689

sslutil: lots of unicode/bytes cleanup In general, we handle hostnames as bytes, except where Python forces them to be unicodes. This fixes all the tracebacks I was seeing in test-https.t, but there's still some ECONNRESET weirdness that I can't hunt down... Differential Revision: https://phab.mercurial-scm.org/D2687

revlog: do not use delta for lfs revisions This is similar to what we have done for changegroups. It is needed to make sure the delta application code path can assume deltas are always against vanilla (ex. non-LFS) rawtext so the next fix becomes possible. Differential Revision: https://phab.mercurial-scm.org/D2068

changegroup: do not delta lfs revisions There is no way to distinguish whether a delta base is LFS or non-LFS. If the delta is against LFS rawtext, and the client trying to apply it has the base revision stored as fulltext, the delta (aka. bundle) will fail to apply. This patch forbids using delta for LFS revisions in changegroup so bad deltas won't be transmitted. Note: this does not solve the problem entirely. It solves LFS delta applying to non-LFS base. But the other direction: non-LFS delta applying to LFS base is not solved yet. Differential Revision: https://phab.mercurial-scm.org/D2067

lfs: add a test showing bundle application could be broken When a bundle containing LFS delta uses non-LFS delta-base, or vice-versa, the bundle will fail to apply. Differential Revision: https://phab.mercurial-scm.org/D2066

debugwireproto: handle unimplemented util.poll() for Windows This is the same logic used in sshpeer.doublepipe. It doesn't completely fix test-ssh-proto{,-unbundle}.t ("read(-1) -> X" is changed to "read(X) -> X", the order of some lines are changed, and abort messages seem to be missing), but it cuts down a ton on the failure spew.

py3: byte-stringify test-blackbox.t