# HG changeset patch # User Matt Mackall # Date 1138479013 -46800 # Node ID 8e9c203946ae02b3df9623bd2322344d8623f31a # Parent c6ffedc4f11bcdcd688e3f0e1b44772f93b3850d Clean up paths passed to hgweb (spotted by Peter van Dijk) diff -r c6ffedc4f11b -r 8e9c203946ae mercurial/hgweb.py --- a/mercurial/hgweb.py Sun Jan 29 08:38:31 2006 +1300 +++ b/mercurial/hgweb.py Sun Jan 29 09:10:13 2006 +1300 @@ -801,6 +801,12 @@ # find tag, changeset, file def run(self, req=hgrequest()): + def clean(path): + p = os.path.normpath(path) + if p[:2] == "..": + raise "suspicious path" + return p + def header(**map): yield self.t("header", **map) @@ -881,7 +887,8 @@ req.write(self.changeset(req.form['node'][0])) elif req.form['cmd'][0] == 'manifest': - req.write(self.manifest(req.form['manifest'][0], req.form['path'][0])) + req.write(self.manifest(req.form['manifest'][0], + clean(req.form['path'][0]))) elif req.form['cmd'][0] == 'tags': req.write(self.tags()) @@ -890,16 +897,20 @@ req.write(self.summary()) elif req.form['cmd'][0] == 'filediff': - req.write(self.filediff(req.form['file'][0], req.form['node'][0])) + req.write(self.filediff(clean(req.form['file'][0]), + req.form['node'][0])) elif req.form['cmd'][0] == 'file': - req.write(self.filerevision(req.form['file'][0], req.form['filenode'][0])) + req.write(self.filerevision(clean(req.form['file'][0]), + req.form['filenode'][0])) elif req.form['cmd'][0] == 'annotate': - req.write(self.fileannotate(req.form['file'][0], req.form['filenode'][0])) + req.write(self.fileannotate(clean(req.form['file'][0]), + req.form['filenode'][0])) elif req.form['cmd'][0] == 'filelog': - req.write(self.filelog(req.form['file'][0], req.form['filenode'][0])) + req.write(self.filelog(clean(req.form['file'][0]), + req.form['filenode'][0])) elif req.form['cmd'][0] == 'heads': req.httphdr("application/mercurial-0.1")