Mercurial > hg
changeset 37093:db114320df7e
hgweb: don't responsd to api requests unless feature is enabled
Per discussion at https://phab.mercurial-scm.org/D2834, new URLs
in hgweb can conflict with subrepos and virtual repos. This may prevent
access to repos in certain paths or having certain names.
Until we have a workaround for this, let's not serve requests for
"api/" URLs unless the feature is enabled.
Differential Revision: https://phab.mercurial-scm.org/D2936
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Fri, 23 Mar 2018 11:20:13 -0700 |
parents | ef6215df2402 |
children | 7f025c9b7865 |
files | mercurial/hgweb/hgweb_mod.py tests/test-http-api.t |
diffstat | 2 files changed, 131 insertions(+), 38 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/hgweb/hgweb_mod.py Fri Mar 23 11:20:49 2018 -0700 +++ b/mercurial/hgweb/hgweb_mod.py Fri Mar 23 11:20:13 2018 -0700 @@ -321,8 +321,11 @@ res.headers['Content-Security-Policy'] = rctx.csp # /api/* is reserved for various API implementations. Dispatch - # accordingly. - if req.dispatchparts and req.dispatchparts[0] == b'api': + # accordingly. But URL paths can conflict with subrepos and virtual + # repos in hgwebdir. So until we have a workaround for this, only + # expose the URLs if the feature is enabled. + apienabled = rctx.repo.ui.configbool('experimental', 'web.apiserver') + if apienabled and req.dispatchparts and req.dispatchparts[0] == b'api': wireprotoserver.handlewsgiapirequest(rctx, req, res, self.check_perm) return res.sendresponse()
--- a/tests/test-http-api.t Fri Mar 23 11:20:49 2018 -0700 +++ b/tests/test-http-api.t Fri Mar 23 11:20:13 2018 -0700 @@ -8,43 +8,133 @@ Request to /api fails unless web.apiserver is enabled - $ send << EOF - > httprequest GET api - > user-agent: test - > EOF - using raw connection to peer - s> GET /api HTTP/1.1\r\n - s> Accept-Encoding: identity\r\n - s> user-agent: test\r\n - s> host: $LOCALIP:$HGPORT\r\n (glob) - s> \r\n - s> makefile('rb', None) - s> HTTP/1.1 404 Not Found\r\n - s> Server: testing stub value\r\n - s> Date: $HTTP_DATE$\r\n - s> Content-Type: text/plain\r\n - s> Content-Length: 44\r\n - s> \r\n - s> Experimental API server endpoint not enabled + $ get-with-headers.py $LOCALIP:$HGPORT api + 400 no such method: api + + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"> + <head> + <link rel="icon" href="/static/hgicon.png" type="image/png" /> + <meta name="robots" content="index, nofollow" /> + <link rel="stylesheet" href="/static/style-paper.css" type="text/css" /> + <script type="text/javascript" src="/static/mercurial.js"></script> + + <title>$TESTTMP/server: error</title> + </head> + <body> + + <div class="container"> + <div class="menu"> + <div class="logo"> + <a href="https://mercurial-scm.org/"> + <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a> + </div> + <ul> + <li><a href="/shortlog">log</a></li> + <li><a href="/graph">graph</a></li> + <li><a href="/tags">tags</a></li> + <li><a href="/bookmarks">bookmarks</a></li> + <li><a href="/branches">branches</a></li> + </ul> + <ul> + <li><a href="/help">help</a></li> + </ul> + </div> + + <div class="main"> + + <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2> + <h3>error</h3> + + + <form class="search" action="/log"> + + <p><input name="rev" id="search1" type="text" size="30" value="" /></p> + <div id="hint">Find changesets by keywords (author, files, the commit message), revision + number or hash, or <a href="/help/revsets">revset expression</a>.</div> + </form> + + <div class="description"> + <p> + An error occurred while processing your request: + </p> + <p> + no such method: api + </p> + </div> + </div> + </div> + + + + </body> + </html> + + [1] - $ send << EOF - > httprequest GET api/ - > user-agent: test - > EOF - using raw connection to peer - s> GET /api/ HTTP/1.1\r\n - s> Accept-Encoding: identity\r\n - s> user-agent: test\r\n - s> host: $LOCALIP:$HGPORT\r\n (glob) - s> \r\n - s> makefile('rb', None) - s> HTTP/1.1 404 Not Found\r\n - s> Server: testing stub value\r\n - s> Date: $HTTP_DATE$\r\n - s> Content-Type: text/plain\r\n - s> Content-Length: 44\r\n - s> \r\n - s> Experimental API server endpoint not enabled + $ get-with-headers.py $LOCALIP:$HGPORT api/ + 400 no such method: api + + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"> + <head> + <link rel="icon" href="/static/hgicon.png" type="image/png" /> + <meta name="robots" content="index, nofollow" /> + <link rel="stylesheet" href="/static/style-paper.css" type="text/css" /> + <script type="text/javascript" src="/static/mercurial.js"></script> + + <title>$TESTTMP/server: error</title> + </head> + <body> + + <div class="container"> + <div class="menu"> + <div class="logo"> + <a href="https://mercurial-scm.org/"> + <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a> + </div> + <ul> + <li><a href="/shortlog">log</a></li> + <li><a href="/graph">graph</a></li> + <li><a href="/tags">tags</a></li> + <li><a href="/bookmarks">bookmarks</a></li> + <li><a href="/branches">branches</a></li> + </ul> + <ul> + <li><a href="/help">help</a></li> + </ul> + </div> + + <div class="main"> + + <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2> + <h3>error</h3> + + + <form class="search" action="/log"> + + <p><input name="rev" id="search1" type="text" size="30" value="" /></p> + <div id="hint">Find changesets by keywords (author, files, the commit message), revision + number or hash, or <a href="/help/revsets">revset expression</a>.</div> + </form> + + <div class="description"> + <p> + An error occurred while processing your request: + </p> + <p> + no such method: api + </p> + </div> + </div> + </div> + + + + </body> + </html> + + [1] Restart server with support for API server