Changeset - 3ee4ac068369
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 7 years ago 2018-10-21 15:18:43
mads@kiilerich.com
Grafted from: f8196b330d10
hg: explicit handling of the 'batch' protocol command - consider it a "push" command if any of the batch commands are

This change mitigates some privilege escalation problems like CVE-2018-1000132
which was fixed in Mercurial 4.5.1 and currently is described on
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 .
1 file changed with 30 insertions and 0 deletions:
kallithea/lib/middleware/simplehg.py
30
0 comments (0 inline, 0 general)
kallithea/lib/middleware/simplehg.py
Show inline comments
 
@@ -22,24 +22,25 @@ This file was forked by the Kallithea pr
 
Original author and date, and relevant copyright and licensing information is below:
 
:created_on: Apr 28, 2010
 
:author: marcink
 
:copyright: (c) 2013 RhodeCode GmbH, and others.
 
:license: GPLv3, see LICENSE.md for more details.
 

			




	
	
	
		
 
"""

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
import os

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import traceback

			




	
	
	
		
 
import urllib

			




	
	
	
		
 

			




	
	
	
		
 
from paste.httpheaders import REMOTE_USER, AUTH_TYPE

			




	
	
	
		
 
from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \

			




	
	
	
		
 
    HTTPNotAcceptable

			




	
	
	
		
 
from kallithea.model.db import User

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea.lib.utils2 import safe_str, safe_unicode, fix_PATH, get_server_url,\

			




	
	
	
		
 
    _set_extras

			




	
	
	
		
 
from kallithea.lib.base import BaseVCSController, WSGIResultCloseCallback

			




	
	
	
		
 
from kallithea.lib.utils import make_ui, is_valid_repo, ui_sections

			




	
	
	
		
 
from kallithea.lib.vcs.utils.hgcompat import RepoError, hgweb_mod

			




	
	
	
		
 
from kallithea.lib.exceptions import HTTPLockedRC

			




	
	
		
 
@@ -57,24 +58,42 @@ def is_mercurial(environ):

			




	
	
	
		
 
    path_info = environ['PATH_INFO']

			




	
	
	
		
 
    if http_accept and http_accept.startswith('application/mercurial'):

			




	
	
	
		
 
        ishg_path = True

			




	
	
	
		
 
    else:

			




	
	
	
		
 
        ishg_path = False

			




	
	
	
		
 

			




	
	
	
		
 
    log.debug('pathinfo: %s detected as Mercurial %s',

			




	
	
	
		
 
        path_info, ishg_path

			




	
	
	
		
 
    )

			




	
	
	
		
 
    return ishg_path

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def get_header_hgarg(environ):

			




	
	
	
		
 
    """Decode the special Mercurial encoding of big requests over multiple headers.

			




	
	
	
		
 
    >>> get_header_hgarg({})

			




	
	
	
		
 
    ''

			




	
	
	
		
 
    >>> get_header_hgarg({'HTTP_X_HGARG_0': ' ', 'HTTP_X_HGARG_1': 'a','HTTP_X_HGARG_2': '','HTTP_X_HGARG_3': 'b+c %20'})

			




	
	
	
		
 
    'ab+c %20'

			




	
	
	
		
 
    """

			




	
	
	
		
 
    chunks = []

			




	
	
	
		
 
    i = 1

			




	
	
	
		
 
    while True:

			




	
	
	
		
 
        v = environ.get('HTTP_X_HGARG_%d' % i)

			




	
	
	
		
 
        if v is None:

			




	
	
	
		
 
            break

			




	
	
	
		
 
        chunks.append(v)

			




	
	
	
		
 
        i += 1

			




	
	
	
		
 
    return ''.join(chunks)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class SimpleHg(BaseVCSController):

			




	
	
	
		
 

			




	
	
	
		
 
    def _handle_request(self, environ, start_response):

			




	
	
	
		
 
        if not is_mercurial(environ):

			




	
	
	
		
 
            return self.application(environ, start_response)

			




	
	
	
		
 
        if not self._check_ssl(environ):

			




	
	
	
		
 
            return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)

			




	
	
	
		
 

			




	
	
	
		
 
        ip_addr = self._get_ip_addr(environ)

			




	
	
	
		
 
        username = None

			




	
	
	
		
 
        # skip passing error to error controller

			




	
	
	
		
 
        environ['pylons.status_code_redirect'] = True

			




	
	
		
 
@@ -269,24 +288,35 @@ class SimpleHg(BaseVCSController):

			




	
	
	
		
 
        :param environ:

			




	
	
	
		
 
        """

			




	
	
	
		
 
        mapping = {'changegroup': 'pull',

			




	
	
	
		
 
                   'changegroupsubset': 'pull',

			




	
	
	
		
 
                   'stream_out': 'pull',

			




	
	
	
		
 
                   'listkeys': 'pull',

			




	
	
	
		
 
                   'unbundle': 'push',

			




	
	
	
		
 
                   'pushkey': 'push', }

			




	
	
	
		
 
        for qry in environ['QUERY_STRING'].split('&'):

			




	
	
	
		
 
            parts = qry.split('=', 1)

			




	
	
	
		
 
            if len(parts) == 2 and parts[0] == 'cmd':

			




	
	
	
		
 
                cmd = parts[1]

			




	
	
	
		
 
                if cmd == 'batch':

			




	
	
	
		
 
                    hgarg = get_header_hgarg(environ)

			




	
	
	
		
 
                    if not hgarg.startswith('cmds='):

			




	
	
	
		
 
                        return 'push' # paranoid and safe

			




	
	
	
		
 
                    for cmd_arg in hgarg[5:].split(';'):

			




	
	
	
		
 
                        cmd, _args = urllib.unquote_plus(cmd_arg).split(' ', 1)

			




	
	
	
		
 
                        op = mapping.get(cmd, 'pull')

			




	
	
	
		
 
                        if op != 'pull':

			




	
	
	
		
 
                            assert op == 'push'

			




	
	
	
		
 
                            return 'push'

			




	
	
	
		
 
                    return 'pull'

			




	
	
	
		
 
                return mapping.get(cmd, 'pull')

			




	
	
	
		
 

			




	
	
	
		
 
        raise Exception('Unable to detect pull/push action !!'

			




	
	
	
		
 
                        'Are you using non standard command or client ?')

			




	
	
	
		
 

			




	
	
	
		
 
    def __inject_extras(self, repo_path, baseui, extras={}):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Injects some extra params into baseui instance

			




	
	
	
		
 

			




	
	
	
		
 
        also overwrites global settings with those takes from local hgrc file

			




	
	
	
		
 

			




	
	
	
		
 
        :param baseui: baseui instance

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.