Mercurial > hg

changeset 5963:5be210afe1b8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: explicitly check if requested command exists
author Dirkjan Ochtman <dirkjan@ochtman.nl>
date Mon, 28 Jan 2008 14:58:03 +0100
parents 0011316fbe0e
children 1cd1582ef25f
files mercurial/hgweb/hgweb_mod.py mercurial/hgweb/protocol.py mercurial/hgweb/webcommands.py
diffstat 3 files changed, 21 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/hgweb/hgweb_mod.py	Mon Jan 28 13:42:40 2008 +0100
+++ b/mercurial/hgweb/hgweb_mod.py	Mon Jan 28 14:58:03 2008 +0100
@@ -202,17 +202,18 @@
         try:
 
             cmd = req.form.get('cmd', [''])[0]
-            if hasattr(protocol, cmd):
+            if cmd in protocol.__all__:
                 method = getattr(protocol, cmd)
                 method(self, req)
             else:
-
                 tmpl = self.templater(req)
                 if cmd == '':
                     req.form['cmd'] = [tmpl.cache['default']]
                     cmd = req.form['cmd'][0]
 
-                if cmd == 'file' and 'raw' in req.form.get('style', []):
+                if cmd not in webcommands.__all__:
+                    raise ErrorResponse(400, 'No such method: ' + cmd)
+                elif cmd == 'file' and 'raw' in req.form.get('style', []):
                     webcommands.rawfile(self, req, tmpl)
                 else:
                     getattr(webcommands, cmd)(self, req, tmpl)
@@ -227,8 +228,6 @@
                         tmpl('error', error=str(inst)))
         except ErrorResponse, inst:
             req.respond(inst.code, tmpl('error', error=inst.message))
-        except AttributeError:
-            req.respond(400, tmpl('error', error='No such method: ' + cmd))
 
     def templater(self, req):
 
--- a/mercurial/hgweb/protocol.py	Mon Jan 28 13:42:40 2008 +0100
+++ b/mercurial/hgweb/protocol.py	Mon Jan 28 14:58:03 2008 +0100
@@ -10,6 +10,14 @@
 from mercurial.i18n import gettext as _
 from mercurial.node import *
 
+# __all__ is populated with the allowed commands. Be sure to add to it if
+# you're adding a new command, or the new command won't work.
+
+__all__ = [
+   'lookup', 'heads', 'branches', 'between', 'changegroup',
+   'changegroupsubset', 'capabilities', 'unbundle', 'stream_out',
+]
+
 def lookup(web, req):
     try:
         r = hex(web.repo.lookup(req.form['key'][0]))
--- a/mercurial/hgweb/webcommands.py	Mon Jan 28 13:42:40 2008 +0100
+++ b/mercurial/hgweb/webcommands.py	Mon Jan 28 14:58:03 2008 +0100
@@ -9,6 +9,15 @@
 from mercurial import revlog, util, hg
 from common import staticfile, ErrorResponse
 
+# __all__ is populated with the allowed commands. Be sure to add to it if
+# you're adding a new command, or the new command won't work.
+
+__all__ = [
+   'log', 'rawfile', 'file', 'changelog', 'shortlog', 'changeset', 'rev',
+   'manifest', 'tags', 'summary', 'filediff', 'diff', 'annotate', 'filelog',
+   'archive', 'static',
+]
+
 def log(web, req, tmpl):
     if 'file' in req.form and req.form['file'][0]:
         filelog(web, req, tmpl)