# HG changeset patch
# User Matt Harbison <matt_harbison@yahoo.com>
# Date 1522555088 14400
# Node ID 9640ccf44ac0b8b9c1407e8e74a16fb2ea4b5120
# Parent  fe061e47a2cf2d40836cb993afd4e35e92d9246f
lfs: ensure the transfer request is for a known URI

Since the dispatching code only checks the beginning of the string, this
enforces that there's only one more path component.

diff -r fe061e47a2cf -r 9640ccf44ac0 hgext/lfs/wireprotolfsserver.py
--- a/hgext/lfs/wireprotolfsserver.py	Sat Mar 31 23:47:56 2018 -0400
+++ b/hgext/lfs/wireprotolfsserver.py	Sat Mar 31 23:58:08 2018 -0400
@@ -22,6 +22,7 @@
 HTTP_OK = hgwebcommon.HTTP_OK
 HTTP_CREATED = hgwebcommon.HTTP_CREATED
 HTTP_BAD_REQUEST = hgwebcommon.HTTP_BAD_REQUEST
+HTTP_NOT_FOUND = hgwebcommon.HTTP_NOT_FOUND
 
 def handlewsgirequest(orig, rctx, req, res, checkperm):
     """Wrap wireprotoserver.handlewsgirequest() to possibly process an LFS
@@ -244,6 +245,10 @@
     oid = req.dispatchparts[-1]
     localstore = repo.svfs.lfslocalblobstore
 
+    if len(req.dispatchparts) != 4:
+        _sethttperror(res, HTTP_NOT_FOUND)
+        return True
+
     if method == b'PUT':
         checkperm('upload')