changeset 36756:2ecb0fc535b1 stable

hgweb: always perform permissions checks on protocol commands (BC) (SEC) Previously, the HTTP request handling code would only perform permissions checking on a wire protocol command if that wire protocol command defined its permissions / operation type. This meant that commands (possibly provided by extensions) not defining their operation type would bypass permissions check. This could lead to exfiltration of data from servers and mutating repositories that were supposed to be read-only. This security issue has been present since the permissions table was introduced by d3147b4e3e8a in 2008. This commit changes the behavior of the HTTP server to always perform permissions checking for protocol requests. If an explicit permission for a wire protocol command is not defined, the server assumes the command can be used for writing and governs access accordingly. .. bc:: Wire protocol commands not defining their operation type in ``wireproto.PERMISSIONS`` are now assumed to be used for "push" operations and access control to run those commands is now enforced accordingly.
author Gregory Szorc <gregory.szorc@gmail.com>
date Sun, 18 Feb 2018 17:20:38 -0800
parents ff4bc0ab6740
children 8bba684efde7
files mercurial/hgweb/hgweb_mod.py tests/test-http-permissions.t
diffstat 2 files changed, 145 insertions(+), 116 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/hgweb/hgweb_mod.py	Tue Feb 20 18:55:58 2018 -0800
+++ b/mercurial/hgweb/hgweb_mod.py	Sun Feb 18 17:20:38 2018 -0800
@@ -362,8 +362,11 @@
                     raise ErrorResponse(HTTP_NOT_FOUND)
 
                 req.checkperm = lambda op: self.check_perm(rctx, req, op)
-                if cmd in perms:
-                    req.checkperm(perms[cmd])
+                # Assume commands with no defined permissions are writes /
+                # for pushes. This is the safest from a security perspective
+                # because it doesn't allow commands with undefined semantics
+                # from bypassing permissions checks.
+                req.checkperm(perms.get(cmd, 'push'))
                 return protocol.call(rctx.repo, req, cmd)
             except ErrorResponse as inst:
                 # A client that sends unbundle without 100-continue will
--- a/tests/test-http-permissions.t	Tue Feb 20 18:55:58 2018 -0800
+++ b/tests/test-http-permissions.t	Sun Feb 18 17:20:38 2018 -0800
@@ -90,12 +90,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -105,9 +105,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -149,12 +151,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -164,9 +166,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -206,12 +210,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -221,9 +225,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -258,12 +264,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -273,9 +279,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -309,21 +317,23 @@
   publishing	True (no-eol)
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  read-only command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   200 Script output follows
   
   read-only command w/ defined permissions
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -362,21 +372,23 @@
   publishing	True (no-eol)
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  read-only command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   200 Script output follows
   
   read-only command w/ defined permissions
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -410,21 +422,23 @@
   publishing	True (no-eol)
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  read-only command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   200 Script output follows
   
   read-only command w/ defined permissions
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -464,12 +478,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -479,9 +493,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -516,12 +532,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -531,9 +547,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -567,21 +585,23 @@
   publishing	True (no-eol)
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  read-only command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   200 Script output follows
   
   read-only command w/ defined permissions
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -622,12 +642,12 @@
   read not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -637,9 +657,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized
@@ -686,12 +708,12 @@
   pull not authorized
   [1]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  read-only command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 pull not authorized
@@ -701,9 +723,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -747,12 +771,12 @@
   abort: bookmark 'bm' does not exist
   [255]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -788,12 +812,12 @@
   abort: bookmark 'bm' does not exist
   [255]
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  405 push requires POST request
   
-  write command no defined permissions
+  0
+  push requires POST request
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   405 push requires POST request
@@ -829,12 +853,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  403 ssl required
   
-  write command no defined permissions
+  0
+  ssl required
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   403 ssl required
@@ -892,12 +916,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 push not authorized
   
-  write command no defined permissions
+  0
+  push not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 push not authorized
@@ -949,12 +973,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 push not authorized
   
-  write command no defined permissions
+  0
+  push not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 push not authorized
@@ -1012,12 +1036,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 push not authorized
   
-  write command no defined permissions
+  0
+  push not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 push not authorized
@@ -1069,12 +1093,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 push not authorized
   
-  write command no defined permissions
+  0
+  push not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 push not authorized
@@ -1242,12 +1266,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 push not authorized
   
-  write command no defined permissions
+  0
+  push not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 push not authorized
@@ -1367,12 +1391,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 push not authorized
   
-  write command no defined permissions
+  0
+  push not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 push not authorized
@@ -1431,12 +1455,12 @@
   $ hg bookmarks
   no bookmarks set
 
-TODO custom commands don't check permissions
-
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadnoperm'
-  200 Script output follows
+  401 read not authorized
   
-  read-only command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customreadwithperm'
   401 read not authorized
@@ -1446,9 +1470,11 @@
   [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritenoperm'
-  200 Script output follows
+  401 read not authorized
   
-  write command no defined permissions
+  0
+  read not authorized
+  [1]
 
   $ get-with-headers.py $LOCALIP:$HGPORT '?cmd=customwritewithperm'
   401 read not authorized