Changeset - 72bed56219d6
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Marcin Kuzminski - 15 years ago 2010-10-18 03:06:38
marcin@python-works.com
security bugfix simplehg wasn't checking for permissions on remote commands different than pull or push.
1 file changed with 15 insertions and 11 deletions:
rhodecode/lib/middleware/simplehg.py
15
11
0 comments (0 inline, 0 general)
rhodecode/lib/middleware/simplehg.py
Show inline comments
 
@@ -84,20 +84,22 @@ class SimpleHg(object):
 
            try:
 
                user = self.__get_user(username)
 
            except:
 
                log.error(traceback.format_exc())
 
                return HTTPInternalServerError()(environ, start_response)
 
            #check permissions for this repository
 
            if action == 'pull':
 
                if not HasPermissionAnyMiddleware('repository.read',
 
                                                  'repository.write',
 

			




	
	
	
		
 
            if action == 'push':

			




	
	
	
		
 
                if not HasPermissionAnyMiddleware('repository.write',

			




	
	
	
		
 
                                                  'repository.admin')\

			




	
	
	
		
 
                                                    (user, repo_name):

			




	
	
	
		
 
                    return HTTPForbidden()(environ, start_response)

			




	
	
	
		
 
            if action == 'push':

			




	
	
	
		
 
                if not HasPermissionAnyMiddleware('repository.write',

			




	
	
	
		
 

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                if not HasPermissionAnyMiddleware('repository.read',

			




	
	
	
		
 
                                                  'repository.write',

			




	
	
	
		
 
                                                  'repository.admin')\

			




	
	
	
		
 
                                                    (user, repo_name):

			




	
	
	
		
 
                    return HTTPForbidden()(environ, start_response)

			




	
	
	
		
 
            

			




	
	
	
		
 
            #log action    

			




	
	
	
		
 
            proxy_key = 'HTTP_X_REAL_IP'

			




	
	
		
 
@@ -138,15 +140,15 @@ class SimpleHg(object):

			




	
	
	
		
 

			




	
	
	
		
 
    def msg_wrapper(self, app, environ, start_response, messages=[]):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Wrapper for custom messages that come out of mercurial respond messages

			




	
	
	
		
 
        is a list of messages that the user will see at the end of response 

			




	
	
	
		
 
        from merurial protocol actions that involves remote answers

			




	
	
	
		
 
        @param app:

			




	
	
	
		
 
        @param environ:

			




	
	
	
		
 
        @param start_response:

			




	
	
	
		
 
        :param app:

			




	
	
	
		
 
        :param environ:

			




	
	
	
		
 
        :param start_response:

			




	
	
	
		
 
        """

			




	
	
	
		
 
        def custom_messages(msg_list):

			




	
	
	
		
 
            for msg in msg_list:

			




	
	
	
		
 
                yield msg + '\n'

			




	
	
	
		
 
        org_response = app(environ, start_response)

			




	
	
	
		
 
        return chain(org_response, custom_messages(messages))

			




	
	
		
 
@@ -161,26 +163,28 @@ class SimpleHg(object):

			




	
	
	
		
 
    def __get_user(self, username):

			




	
	
	
		
 
        return get_user_cached(username)

			




	
	
	
		
 
        

			




	
	
	
		
 
    def __get_action(self, environ):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Maps mercurial request commands into a pull or push command.

			




	
	
	
		
 
        @param environ:

			




	
	
	
		
 
        This should return generally always something

			




	
	
	
		
 
        :param environ:

			




	
	
	
		
 
        """

			




	
	
	
		
 
        mapping = {'changegroup': 'pull',

			




	
	
	
		
 
                   'changegroupsubset': 'pull',

			




	
	
	
		
 
                   'stream_out': 'pull',

			




	
	
	
		
 
                   'listkeys': 'pull',

			




	
	
	
		
 
                   'unbundle': 'push',

			




	
	
	
		
 
                   'pushkey': 'push', }

			




	
	
	
		
 
        

			




	
	
	
		
 
        for qry in environ['QUERY_STRING'].split('&'):

			




	
	
	
		
 
            if qry.startswith('cmd'):

			




	
	
	
		
 
                cmd = qry.split('=')[-1]

			




	
	
	
		
 
                if mapping.has_key(cmd):

			




	
	
	
		
 
                    return mapping[cmd]

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    return cmd

			




	
	
	
		
 
    

			




	
	
	
		
 
    def __log_user_action(self, user, action, repo, ipaddr):

			




	
	
	
		
 
        action_logger(user, action, repo, ipaddr)

			




	
	
	
		
 
        

			




	
	
	
		
 
    def __invalidate_cache(self, repo_name):

			




	
	
	
		
 
        """we know that some change was made to repositories and we should

			




	
	
		
 
@@ -188,13 +192,13 @@ class SimpleHg(object):

			




	
	
	
		
 
        push requests"""

			




	
	
	
		
 
        invalidate_cache('cached_repo_list')

			




	
	
	
		
 
        invalidate_cache('full_changelog', repo_name)

			




	
	
	
		
 
           

			




	
	
	
		
 
                   

			




	
	
	
		
 
    def __load_web_settings(self, hgserve):

			




	
	
	
		
 
        #set the global ui for hgserve

			




	
	
	
		
 
        #set the global ui for hgserve instance passed

			




	
	
	
		
 
        hgserve.repo.ui = self.baseui

			




	
	
	
		
 
        

			




	
	
	
		
 
        hgrc = os.path.join(self.repo_path, '.hg', 'hgrc')

			




	
	
	
		
 
        repoui = make_ui('file', hgrc, False)

			




	
	
	
		
 
        

			




	
	
	
		
 
        

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.