revlog: verify censored flag when hashing added revision fulltext
When receiving a delta via exchange, three possible storage outcomes emerge:
1. The delta is added directly to the revlog. ("fast-path")
2. A freshly-computed delta with a different base is stored.
3. The new revision's fulltext is computed and stored outright.
Both (2) and (3) require materializing the full text of the new revision by
applying the delta to its base. This is typically followed by a hash check.
The new flags argument allows callers to _addrevision to signal that they
expect that hash check to fail. We can use this opportunity to verify that
expectation. If the hash fails, require the flag be set; if the hash passes,
require the flag be unset.
Rather than simply eliding the hash check, this approach provides some
assurance that the censored flag is not applied to valid revisions.
Read more at: http://mercurial.selenic.com/wiki/CensorPlan
--- a/mercurial/revlog.py Mon Jan 12 14:30:24 2015 -0500
+++ b/mercurial/revlog.py Mon Jan 12 14:41:25 2015 -0500
@@ -1235,8 +1235,12 @@
btext[0] = mdiff.patch(basetext, cachedelta[1])
try:
self.checkhash(btext[0], p1, p2, node)
+ if flags & REVIDX_ISCENSORED:
+ raise RevlogError(_('node %s is not censored') % node)
except CensoredNodeError:
- pass # always import a censor tombstone.
+ # must pass the censored index flag to add censored revisions
+ if not flags & REVIDX_ISCENSORED:
+ raise
return btext[0]
def builddelta(rev):