kallithea Changeset - 22c8f23cc75b

Changeset - 22c8f23cc75b

Parent rev.

Child rev.

[Not reviewed]

Merge default

0 6 0

Mads Kiilerich - 7 years ago 2018-11-05 00:31:07
mads@kiilerich.com

Merge stable

5 files changed with 101 insertions and 12 deletions:

.hgtags

kallithea/lib/base.py

kallithea/lib/markup_renderer.py

kallithea/lib/middleware/simplehg.py

setup.py

0 comments (0 inline, 0 general)

.hgtags

➞

Show inline comments

@@ @@ -64,6 +64,7 @@ c6e32714336345403adf76abb6ebf9b8116fcdc7 @@
 b3e9e242f5c97cc0c7657e5ac93dce7de61ca16 0.3
 bf8eb837e785b6856ccfac264e977ce3ebe1535 0.3.1
 a84d40e9481fcea4dafadee86b03f0dd401527d6 0.3.2
 ea7ea0923618a0c117acebb816a6f0d162bfdb 0.3.3
 cf635c823ea059cc3a1581b82d8672e46b682384 0.3.4
 cca4cc6a0a97f4c4763317184cd41aca4297630 0.3.5
 c9b8f0f17bd34740eb90c69bdc4c80d4b5b31 0.3.6

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -325,13 +325,13 @@ class BaseVCSController(object): @@
     def _check_permission(self, action, user, repo_name, ip_addr=None):
         """
         Checks permissions using action (push/pull) user and repository
         name
         :param action: push or pull action
+        :param action: 'push' or 'pull' action
         :param user: `User` instance
         :param repo_name: repository name
         """
         # check IP
         ip_allowed = AuthUser.check_ip_allowed(user, ip_addr)
         if ip_allowed:

kallithea/lib/markup_renderer.py

➞

Show inline comments

@@ @@ -27,12 +27,15 @@ Original author and date, and relevant c @@
 import re
 import logging
 import traceback
 import markdown as markdown_mod
 import bleach
 from kallithea.lib.utils2 import safe_unicode, MENTIONS_REGEX
 log = logging.getLogger(__name__)
 url_re = re.compile(r'''\bhttps?://(?:[\da-zA-Z0-9@:.-]+)'''
@@ @@ -135,23 +138,49 @@ class MarkupRenderer(object): @@
             return '<a href="%(url)s">%(url)s</a>' % ({'url': url_full})
         source = url_re.sub(url_func, source)
         return '<br />' + source.replace("\n", '<br />')
     @classmethod
     def markdown(cls, source, safe=True, flavored=False):
         """
         Convert Markdown (possibly GitHub Flavored) to XSS safe HTML, possibly
         with "safe" fall-back to plaintext.
         >>> MarkupRenderer.markdown('''<img id="a" style="margin-top:-1000px;color:red" src="http://example.com/test.jpg">''')
         u'<p><img id="a" src="http://example.com/test.jpg" style="color: red;"></p>'
         >>> MarkupRenderer.markdown('''<img class="c d" src="file://localhost/test.jpg">''')
         u'<p><img class="c d"></p>'
         >>> MarkupRenderer.markdown('''<a href="foo">foo</a>''')
         u'<p><a href="foo">foo</a></p>'
         >>> MarkupRenderer.markdown('''<script>alert(1)</script>''')
         u'&lt;script&gt;alert(1)&lt;/script&gt;'
         >>> MarkupRenderer.markdown('''<div onclick="alert(2)">yo</div>''')
         u'<div>yo</div>'
         >>> MarkupRenderer.markdown('''<a href="javascript:alert(3)">yo</a>''')
         u'<p><a>yo</a></p>'
         """
         source = safe_unicode(source)
         try:
             import markdown as __markdown
             if flavored:
                 source = cls._flavored_markdown(source)
-            return __markdown.markdown(source,
+            markdown_html = markdown_mod.markdown(source,
                                        extensions=['codehilite', 'extra'],
                                        extension_configs={'codehilite': {'css_class': 'code-highlight'}})
         except ImportError:
             log.warning('Install markdown to use this function')
             return cls.plain(source)
             # Allow most HTML, while preventing XSS issues:
             # no <script> tags, no onclick attributes, no javascript
             # "protocol", and also limit styling to prevent defacing.
             return bleach.clean(markdown_html,
                 tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
                       'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
                       'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
                       'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
                       'thead', 'tr', 'ul'],
                 attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
                 styles=['color'],
                 protocols=['http', 'https', 'mailto'],
+                )
         except Exception:
             log.error(traceback.format_exc())
             if safe:
                 log.debug('Falling back to render in plain mode')
                 return cls.plain(source)
             else:

kallithea/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -28,12 +28,13 @@ Original author and date, and relevant c @@
 """
 import os
 import logging
 import traceback
 import urllib
 from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \
     HTTPNotAcceptable, HTTPBadRequest
 from kallithea.lib.utils2 import safe_str, safe_unicode, fix_PATH, get_server_url, \
     _set_extras
@@ @@ -60,12 +61,30 @@ def is_mercurial(environ): @@
     log.debug('pathinfo: %s detected as Mercurial %s',
         path_info, ishg_path
+    )
     return ishg_path
 def get_header_hgarg(environ):
     """Decode the special Mercurial encoding of big requests over multiple headers.
     >>> get_header_hgarg({})
     ''
     >>> get_header_hgarg({'HTTP_X_HGARG_0': ' ', 'HTTP_X_HGARG_1': 'a','HTTP_X_HGARG_2': '','HTTP_X_HGARG_3': 'b+c %20'})
     'ab+c %20'
     """
     chunks = []
     i = 1
     while True:
         v = environ.get('HTTP_X_HGARG_%d' % i)
         if v is None:
             break
         chunks.append(v)
         i += 1
     return ''.join(chunks)
 class SimpleHg(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_mercurial(environ):
             return self.application(environ, start_response)
@@ @@ -202,22 +221,61 @@ class SimpleHg(BaseVCSController): @@
             raise
         return repo_name
     def __get_action(self, environ):
         """
-        Maps Mercurial request commands into a pull or push command.
+        Maps Mercurial request commands into 'pull' or 'push'.
         Raises HTTPBadRequest if the request environment doesn't look like a hg client.
         """
         mapping = {'unbundle': 'push',
                    'pushkey': 'push'}
         mapping = {
             # 'batch' is not in this list - it is handled explicitly
             'between': 'pull',
             'branches': 'pull',
             'branchmap': 'pull',
             'capabilities': 'pull',
             'changegroup': 'pull',
             'changegroupsubset': 'pull',
             'changesetdata': 'pull',
             'clonebundles': 'pull',
             'debugwireargs': 'pull',
             'filedata': 'pull',
             'getbundle': 'pull',
             'getlfile': 'pull',
             'heads': 'pull',
             'hello': 'pull',
             'known': 'pull',
             'lheads': 'pull',
             'listkeys': 'pull',
             'lookup': 'pull',
             'manifestdata': 'pull',
             'narrow_widen': 'pull',
             'protocaps': 'pull',
             'statlfile': 'pull',
             'stream_out': 'pull',
             'pushkey': 'push',
             'putlfile': 'push',
             'unbundle': 'push',
+            }
         for qry in environ['QUERY_STRING'].split('&'):
             if qry.startswith('cmd'):
                 cmd = qry.split('=')[-1]
                 return mapping.get(cmd, 'pull')
             parts = qry.split('=', 1)
             if len(parts) == 2 and parts[0] == 'cmd':
                 cmd = parts[1]
                 if cmd == 'batch':
                     hgarg = get_header_hgarg(environ)
                     if not hgarg.startswith('cmds='):
                         return 'push' # paranoid and safe
                     for cmd_arg in hgarg[5:].split(';'):
                         cmd, _args = urllib.unquote_plus(cmd_arg).split(' ', 1)
                         op = mapping.get(cmd, 'push')
                         if op != 'pull':
                             assert op == 'push'
                             return 'push'
                     return 'pull'
                 return mapping.get(cmd, 'push')
         # Note: the client doesn't get the helpful error message
         raise HTTPBadRequest('Unable to detect pull/push action! Are you using non standard command or client?')
     def _augment_hgrc(self, repo_path, baseui):
         """Augment baseui with config settings from the repo_path repo"""

setup.py

➞

Show inline comments

@@ modified file chmod 100755 => 100644 @@
@@ @@ -57,12 +57,13 @@ requirements = [ @@
     "URLObject >= 2.3.4, < 2.5",
     "Routes >= 1.13, < 2",
     "dulwich >= 0.14.1, < 0.20",
     "mercurial >= 4.1.1, < 4.9",
     "decorator >= 3.3.2, < 4.4",
     "Paste >= 2.0.3, < 3",
     "bleach >= 3.0, < 3.1",
+]
 if sys.version_info < (2, 7):
     requirements.append("importlib == 1.0.1")
     requirements.append("argparse")

0 comments (0 inline, 0 general)