# HG changeset patch # User Benoit Boissinot # Date 1245534171 18000 # Node ID 36654238c0503a66c18859a442a8acf267eb7205 # Parent 580a79dde2a364509cd7b9570d2eb8351253ed95 hgweb: deny cloning a subpath of a repo diff -r 580a79dde2a3 -r 36654238c050 mercurial/hgweb/hgweb_mod.py --- a/mercurial/hgweb/hgweb_mod.py Sat Jun 20 13:00:25 2009 -0500 +++ b/mercurial/hgweb/hgweb_mod.py Sat Jun 20 16:42:51 2009 -0500 @@ -82,28 +82,6 @@ self.refresh() - # process this if it's a protocol request - # protocol bits don't need to create any URLs - # and the clients always use the old URL structure - - cmd = req.form.get('cmd', [''])[0] - if cmd and cmd in protocol.__all__: - try: - if cmd in perms: - try: - self.check_perm(req, perms[cmd]) - except ErrorResponse, inst: - if cmd == 'unbundle': - req.drain() - raise - method = getattr(protocol, cmd) - return method(self.repo, req) - except ErrorResponse, inst: - req.respond(inst, protocol.HGTYPE) - if not inst.message: - return [] - return '0\n%s\n' % inst.message, - # work with CGI variables to create coherent structure # use SCRIPT_NAME, PATH_INFO and QUERY_STRING as well as our REPO_NAME @@ -123,6 +101,30 @@ query = req.env['QUERY_STRING'].split('&', 1)[0] query = query.split(';', 1)[0] + # process this if it's a protocol request + # protocol bits don't need to create any URLs + # and the clients always use the old URL structure + + cmd = req.form.get('cmd', [''])[0] + if cmd and cmd in protocol.__all__: + if query: + raise ErrorResponse(HTTP_NOT_FOUND) + try: + if cmd in perms: + try: + self.check_perm(req, perms[cmd]) + except ErrorResponse, inst: + if cmd == 'unbundle': + req.drain() + raise + method = getattr(protocol, cmd) + return method(self.repo, req) + except ErrorResponse, inst: + req.respond(inst, protocol.HGTYPE) + if not inst.message: + return [] + return '0\n%s\n' % inst.message, + # translate user-visible url structure to internal structure args = query.split('/', 2)