Mon, 06 Nov 2017 14:56:17 -0500 config: add some more documentation around why svn and git subrepos are off stable
Augie Fackler <augie@google.com> [Mon, 06 Nov 2017 14:56:17 -0500] rev 34988
config: add some more documentation around why svn and git subrepos are off
Sun, 05 Nov 2017 21:51:42 +0900 subrepo: disable git and svn subrepos by default (BC) (SEC) stable
Yuya Nishihara <yuya@tcha.org> [Sun, 05 Nov 2017 21:51:42 +0900] rev 34987
subrepo: disable git and svn subrepos by default (BC) (SEC) We have a security issue with git subrepos. I'm not sure if svn subrepo is vulnerable, but it seems not 100% safe to allow writing arbitrary data into a metadata directory. So for now, only hg subrepo is enabled by default. Maybe we should improve the help to describe why git/svn subrepos are disabled.
Sun, 05 Nov 2017 21:48:58 +0900 subrepo: extend config option to disable subrepos by type (SEC) stable
Yuya Nishihara <yuya@tcha.org> [Sun, 05 Nov 2017 21:48:58 +0900] rev 34986
subrepo: extend config option to disable subrepos by type (SEC) This allows us to minimize the behavior change introduced by the next patch. I have no idea which config style is preferred in UX POV, but I decided to get things done. a) list: 'allowed = hg, git, svn' b) sub option: 'allowed.hg = True' or 'allowed:hg = True' c) per-type action: 'hg = allow', 'git = abort'
Sun, 05 Nov 2017 21:22:07 +0900 subrepo: add config option to reject any subrepo operations (SEC) stable
Yuya Nishihara <yuya@tcha.org> [Sun, 05 Nov 2017 21:22:07 +0900] rev 34985
subrepo: add config option to reject any subrepo operations (SEC) This is an alternative workaround for the issue5730. Perhaps this is the simplest way of disabling subrepo operations. It does nothing clever, but just aborts if Mercurial starts accessing to a subrepo. I think Greg's patch is more useful since it allows us to at least check out the parent repository. However, that would be confusing if the default is flipped to checkout=False and subrepos are silently ignored. I don't like the config name 'allowed', but I couldn't get any better name.
Fri, 03 Nov 2017 20:12:50 +0900 subrepo: disallow symlink traversal across subrepo mount point (SEC) stable
Yuya Nishihara <yuya@tcha.org> [Fri, 03 Nov 2017 20:12:50 +0900] rev 34984
subrepo: disallow symlink traversal across subrepo mount point (SEC) It wasn't easy to extend the pathauditor to check symlink traversal across subrepos because pathauditor._checkfs() rejects a directory having ".hg" directory. That's why I added the explicit islink() check. No idea if this patch is necessary after we've fixed the issue5730 by splitting submerge() into planning and execution phases.
Fri, 03 Nov 2017 19:17:25 +0900 tests: show symlink traversal across subrepo mount point (SEC) stable
Yuya Nishihara <yuya@tcha.org> [Fri, 03 Nov 2017 19:17:25 +0900] rev 34983
tests: show symlink traversal across subrepo mount point (SEC) Also adds a couple of tests where the auditor does work as expected.
Mon, 06 Nov 2017 10:33:40 -0800 share: move config item declarations into core stable
Gregory Szorc <gregory.szorc@gmail.com> [Mon, 06 Nov 2017 10:33:40 -0800] rev 34982
share: move config item declarations into core These config items control share behavior that is implemented in core. Since the functionality is implemented in core, extensions may leverage it. Mozilla has one such extension. And, it needs to access share.pool. Before this patch, a devel warning regarding accessing an unregistered config option would be issued unless the share extension were loaded. Moving the registration of the config options to core fixes this.
(0) -30000 -10000 -3000 -1000 -300 -100 -30 -10 -7 +7 +10 +30 +100 +300 +1000 +3000 +10000 tip