kallithea Changeset - ba444b73e01a

Changeset - ba444b73e01a

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich - 7 years ago 2018-10-21 15:19:56
mads@kiilerich.com

Grafted from: 7c1447d1fc43

hg: make protocol access control more explicit

Enumerate all currently known commands, and default to require 'push' access
for all unknown commands.

This change mitigates some privilege escalation problems like CVE-2018-1000132
which was fixed in Mercurial 4.5.1 and currently is described on
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 .

1 file changed with 31 insertions and 8 deletions:

kallithea/lib/middleware/simplehg.py

0 comments (0 inline, 0 general)

kallithea/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -287,12 +287,35 @@ class SimpleHg(BaseVCSController): @@
         :param environ:
         """
         mapping = {'changegroup': 'pull',
                    'changegroupsubset': 'pull',
                    'stream_out': 'pull',
                    'listkeys': 'pull',
                    'unbundle': 'push',
                    'pushkey': 'push', }
         mapping = {
             # 'batch' is not in this list - it is handled explicitly
             'between': 'pull',
             'branches': 'pull',
             'branchmap': 'pull',
             'capabilities': 'pull',
             'changegroup': 'pull',
             'changegroupsubset': 'pull',
             'changesetdata': 'pull',
             'clonebundles': 'pull',
             'debugwireargs': 'pull',
             'filedata': 'pull',
             'getbundle': 'pull',
             'getlfile': 'pull',
             'heads': 'pull',
             'hello': 'pull',
             'known': 'pull',
             'lheads': 'pull',
             'listkeys': 'pull',
             'lookup': 'pull',
             'manifestdata': 'pull',
             'narrow_widen': 'pull',
             'protocaps': 'pull',
             'statlfile': 'pull',
             'stream_out': 'pull',
             'pushkey': 'push',
             'putlfile': 'push',
             'unbundle': 'push',
+            }
         for qry in environ['QUERY_STRING'].split('&'):
             parts = qry.split('=', 1)
             if len(parts) == 2 and parts[0] == 'cmd':
@@ @@ -303,12 +326,12 @@ class SimpleHg(BaseVCSController): @@
                         return 'push' # paranoid and safe
                     for cmd_arg in hgarg[5:].split(';'):
                         cmd, _args = urllib.unquote_plus(cmd_arg).split(' ', 1)
-                        op = mapping.get(cmd, 'pull')
+                        op = mapping.get(cmd, 'push')
                         if op != 'pull':
                             assert op == 'push'
                             return 'push'
                     return 'pull'
-                return mapping.get(cmd, 'pull')
+                return mapping.get(cmd, 'push')
         raise Exception('Unable to detect pull/push action !!'
                         'Are you using non standard command or client ?')

0 comments (0 inline, 0 general)