Mercurial Mercurial > mercurial / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-non-interactive.t
author Yuya Nishihara <yuya@tcha.org>
Mon, 07 Aug 2017 22:22:28 +0900
branchstable
changeset 33660 3fee7f7d2da0
parent 32940 75be14993fda
child 33720 27fb986e54d0
permissions -rw-r--r--
ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.

Tests if hgweb can run without touching sys.stdin, as is required
by the WSGI standard and strictly implemented by mod_wsgi.

  $ hg init repo
  $ cd repo
  $ echo foo > bar
  $ hg add bar
  $ hg commit -m "test"
  $ cat > request.py <<EOF
  > from __future__ import absolute_import
  > import os
  > import sys
  > from mercurial import (
  >     dispatch,
  >     hg,
  >     ui as uimod,
  >     util,
  > )
  > ui = uimod.ui
  > from mercurial.hgweb.hgweb_mod import (
  >     hgweb,
  > )
  > stringio = util.stringio
  > 
  > class FileLike(object):
  >     def __init__(self, real):
  >         self.real = real
  >     def fileno(self):
  >         print >> sys.__stdout__, 'FILENO'
  >         return self.real.fileno()
  >     def read(self):
  >         print >> sys.__stdout__, 'READ'
  >         return self.real.read()
  >     def readline(self):
  >         print >> sys.__stdout__, 'READLINE'
  >         return self.real.readline()
  > 
  > sys.stdin = FileLike(sys.stdin)
  > errors = stringio()
  > input = stringio()
  > output = stringio()
  > 
  > def startrsp(status, headers):
  >     print '---- STATUS'
  >     print status
  >     print '---- HEADERS'
  >     print [i for i in headers if i[0] != 'ETag']
  >     print '---- DATA'
  >     return output.write
  > 
  > env = {
  >     'wsgi.version': (1, 0),
  >     'wsgi.url_scheme': 'http',
  >     'wsgi.errors': errors,
  >     'wsgi.input': input,
  >     'wsgi.multithread': False,
  >     'wsgi.multiprocess': False,
  >     'wsgi.run_once': False,
  >     'REQUEST_METHOD': 'GET',
  >     'SCRIPT_NAME': '',
  >     'PATH_INFO': '',
  >     'QUERY_STRING': '',
  >     'SERVER_NAME': '$LOCALIP',
  >     'SERVER_PORT': os.environ['HGPORT'],
  >     'SERVER_PROTOCOL': 'HTTP/1.0'
  > }
  > 
  > i = hgweb('.')
  > for c in i(env, startrsp):
  >     pass
  > print '---- ERRORS'
  > print errors.getvalue()
  > print '---- OS.ENVIRON wsgi variables'
  > print sorted([x for x in os.environ if x.startswith('wsgi')])
  > print '---- request.ENVIRON wsgi variables'
  > with i._obtainrepo() as repo:
  >     print sorted([x for x in repo.ui.environ if x.startswith('wsgi')])
  > EOF
  $ $PYTHON request.py
  ---- STATUS
  200 Script output follows
  ---- HEADERS
  [('Content-Type', 'text/html; charset=ascii')]
  ---- DATA
  ---- ERRORS
  
  ---- OS.ENVIRON wsgi variables
  []
  ---- request.ENVIRON wsgi variables
  ['wsgi.errors', 'wsgi.input', 'wsgi.multiprocess', 'wsgi.multithread', 'wsgi.run_once', 'wsgi.url_scheme', 'wsgi.version']

  $ cd ..
mercurial