Gregory Szorc <gregory.szorc@gmail.com> [Wed, 30 Jan 2019 13:08:59 -0800] rev 41464
tests: change how sockets are closed
Python 3 uses a different type to represent a socket file object
than Python 2. We need to conditionalize how the socket is closed
accordingly.
While we're here, we switch to use socket.shutdown() to close the
socket. This is because socket.close() may not actually close
the socket until it is GCd. socket.shutdown() forces an immediate
shutdown.
I suspect Python 3 changed semantic behavior here, as I can't get
test-http-bad-server.t to work with socket.close(). socket.shutdown()
does appear to work, however.
Differential Revision: https://phab.mercurial-scm.org/D5751
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 30 Jan 2019 09:52:16 -0800] rev 41463
tests: add b'' prefixes to badserverext.py
This avoids a handful of failures due to missing str and bytes.
# skip-blame: just a bunch of b'' prefixes
Differential Revision: https://phab.mercurial-scm.org/D5750
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 30 Jan 2019 11:44:34 -0800] rev 41462
hgweb: log error before attempting I/O
Previously, an uncaught exception during HTTP request serving would
attempt to send an error response then log the exception.
If an exception occurred during I/O, this exception would be
raised and the original exception wouldn't be logged.
This commit changes behavior so the original exception is logged
first, before we attempt to do anything else. This ensures the
exception is logged.
This change resulted in new tracebacks appearing in various tests.
Because tracebacks can vary between Python versions, we added a
simple script to filter the stack part of traceback lines. This
makes testing much simpler, as we don't need to glob over lines
and make lines conditional.
Differential Revision: https://phab.mercurial-scm.org/D5749
Gregory Szorc <gregory.szorc@gmail.com> [Tue, 29 Jan 2019 11:51:19 -0800] rev 41461
tests: write commit message using file I/O
Python 2.7 will print() \x94\x5c\x0a whereas Python 3 will
print() \xc2\x94\x5c\x0a. Why, I'm not sure. It probably has to
do with print() being Unicode aware on Python 3 and Python
attempting some kind of encoding before emitting the output.
This difference results in a different bytes making it to the
commit message and the JSON output varying. We work around
this by writing bytes to a commit message file.
Differential Revision: https://phab.mercurial-scm.org/D5741
Augie Fackler <raf@durin42.com> [Fri, 01 Feb 2019 13:44:09 -0500] rev 41460
Added signature for changeset
83377b4b4ae0
Augie Fackler <raf@durin42.com> [Fri, 01 Feb 2019 13:44:07 -0500] rev 41459
Added tag 4.9 for changeset
83377b4b4ae0
Yuya Nishihara <yuya@tcha.org> [Tue, 08 Jan 2019 22:19:36 +0900] rev 41458
subrepo: reject potentially unsafe subrepo paths (BC) (SEC)
In addition to the previous patch, this prohibits '~', '$nonexistent', etc.
for any subrepo types. I think this is safer, and real-world subrepos wouldn't
use such (local) paths.
Yuya Nishihara <yuya@tcha.org> [Tue, 08 Jan 2019 22:07:45 +0900] rev 41457
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.
os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
Yuya Nishihara <yuya@tcha.org> [Tue, 08 Jan 2019 21:51:54 +0900] rev 41456
subrepo: extend path auditing test to include more weird patterns (SEC)
While reviewing patches for the issue 5739, "$foo in repository path
expanded", I realized that subrepo paths can also be cheated. This patch
includes various subrepo paths which are potentially unsafe.
Since an expanded subrepo path isn't audited, this bug allows symlink check
bypass. As a result, a malicious subrepository could be checked out to a
sub tree of e.g. $HOME directory. The good news is that the destination
directory must be empty or nonexistent, so the existing ~/.bashrc wouldn't
be overwritten. See the last part of the tests for details.
Anton Shestakov <av6@dwimlabs.net> [Thu, 31 Jan 2019 13:32:21 +0800] rev 41455
copyright: update to 2019
Differential Revision: https://phab.mercurial-scm.org/D5779