hgweb: don't responsd to api requests unless feature is enabled
authorGregory Szorc <gregory.szorc@gmail.com>
Fri, 23 Mar 2018 11:20:13 -0700
changeset 37093 db114320df7e
parent 37092 ef6215df2402
child 37094 7f025c9b7865
hgweb: don't responsd to api requests unless feature is enabled Per discussion at https://phab.mercurial-scm.org/D2834, new URLs in hgweb can conflict with subrepos and virtual repos. This may prevent access to repos in certain paths or having certain names. Until we have a workaround for this, let's not serve requests for "api/" URLs unless the feature is enabled. Differential Revision: https://phab.mercurial-scm.org/D2936
mercurial/hgweb/hgweb_mod.py
tests/test-http-api.t
--- a/mercurial/hgweb/hgweb_mod.py	Fri Mar 23 11:20:49 2018 -0700
+++ b/mercurial/hgweb/hgweb_mod.py	Fri Mar 23 11:20:13 2018 -0700
@@ -321,8 +321,11 @@
             res.headers['Content-Security-Policy'] = rctx.csp
 
         # /api/* is reserved for various API implementations. Dispatch
-        # accordingly.
-        if req.dispatchparts and req.dispatchparts[0] == b'api':
+        # accordingly. But URL paths can conflict with subrepos and virtual
+        # repos in hgwebdir. So until we have a workaround for this, only
+        # expose the URLs if the feature is enabled.
+        apienabled = rctx.repo.ui.configbool('experimental', 'web.apiserver')
+        if apienabled and req.dispatchparts and req.dispatchparts[0] == b'api':
             wireprotoserver.handlewsgiapirequest(rctx, req, res,
                                                  self.check_perm)
             return res.sendresponse()
--- a/tests/test-http-api.t	Fri Mar 23 11:20:49 2018 -0700
+++ b/tests/test-http-api.t	Fri Mar 23 11:20:13 2018 -0700
@@ -8,43 +8,133 @@
 
 Request to /api fails unless web.apiserver is enabled
 
-  $ send << EOF
-  > httprequest GET api
-  >     user-agent: test
-  > EOF
-  using raw connection to peer
-  s>     GET /api HTTP/1.1\r\n
-  s>     Accept-Encoding: identity\r\n
-  s>     user-agent: test\r\n
-  s>     host: $LOCALIP:$HGPORT\r\n (glob)
-  s>     \r\n
-  s> makefile('rb', None)
-  s>     HTTP/1.1 404 Not Found\r\n
-  s>     Server: testing stub value\r\n
-  s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Type: text/plain\r\n
-  s>     Content-Length: 44\r\n
-  s>     \r\n
-  s>     Experimental API server endpoint not enabled
+  $ get-with-headers.py $LOCALIP:$HGPORT api
+  400 no such method: api
+  
+  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
+  <head>
+  <link rel="icon" href="/static/hgicon.png" type="image/png" />
+  <meta name="robots" content="index, nofollow" />
+  <link rel="stylesheet" href="/static/style-paper.css" type="text/css" />
+  <script type="text/javascript" src="/static/mercurial.js"></script>
+  
+  <title>$TESTTMP/server: error</title>
+  </head>
+  <body>
+  
+  <div class="container">
+  <div class="menu">
+  <div class="logo">
+  <a href="https://mercurial-scm.org/">
+  <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a>
+  </div>
+  <ul>
+  <li><a href="/shortlog">log</a></li>
+  <li><a href="/graph">graph</a></li>
+  <li><a href="/tags">tags</a></li>
+  <li><a href="/bookmarks">bookmarks</a></li>
+  <li><a href="/branches">branches</a></li>
+  </ul>
+  <ul>
+  <li><a href="/help">help</a></li>
+  </ul>
+  </div>
+  
+  <div class="main">
+  
+  <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2>
+  <h3>error</h3>
+  
+  
+  <form class="search" action="/log">
+  
+  <p><input name="rev" id="search1" type="text" size="30" value="" /></p>
+  <div id="hint">Find changesets by keywords (author, files, the commit message), revision
+  number or hash, or <a href="/help/revsets">revset expression</a>.</div>
+  </form>
+  
+  <div class="description">
+  <p>
+  An error occurred while processing your request:
+  </p>
+  <p>
+  no such method: api
+  </p>
+  </div>
+  </div>
+  </div>
+  
+  
+  
+  </body>
+  </html>
+  
+  [1]
 
-  $ send << EOF
-  > httprequest GET api/
-  >     user-agent: test
-  > EOF
-  using raw connection to peer
-  s>     GET /api/ HTTP/1.1\r\n
-  s>     Accept-Encoding: identity\r\n
-  s>     user-agent: test\r\n
-  s>     host: $LOCALIP:$HGPORT\r\n (glob)
-  s>     \r\n
-  s> makefile('rb', None)
-  s>     HTTP/1.1 404 Not Found\r\n
-  s>     Server: testing stub value\r\n
-  s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Type: text/plain\r\n
-  s>     Content-Length: 44\r\n
-  s>     \r\n
-  s>     Experimental API server endpoint not enabled
+  $ get-with-headers.py $LOCALIP:$HGPORT api/
+  400 no such method: api
+  
+  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US">
+  <head>
+  <link rel="icon" href="/static/hgicon.png" type="image/png" />
+  <meta name="robots" content="index, nofollow" />
+  <link rel="stylesheet" href="/static/style-paper.css" type="text/css" />
+  <script type="text/javascript" src="/static/mercurial.js"></script>
+  
+  <title>$TESTTMP/server: error</title>
+  </head>
+  <body>
+  
+  <div class="container">
+  <div class="menu">
+  <div class="logo">
+  <a href="https://mercurial-scm.org/">
+  <img src="/static/hglogo.png" width=75 height=90 border=0 alt="mercurial" /></a>
+  </div>
+  <ul>
+  <li><a href="/shortlog">log</a></li>
+  <li><a href="/graph">graph</a></li>
+  <li><a href="/tags">tags</a></li>
+  <li><a href="/bookmarks">bookmarks</a></li>
+  <li><a href="/branches">branches</a></li>
+  </ul>
+  <ul>
+  <li><a href="/help">help</a></li>
+  </ul>
+  </div>
+  
+  <div class="main">
+  
+  <h2 class="breadcrumb"><a href="/">Mercurial</a> </h2>
+  <h3>error</h3>
+  
+  
+  <form class="search" action="/log">
+  
+  <p><input name="rev" id="search1" type="text" size="30" value="" /></p>
+  <div id="hint">Find changesets by keywords (author, files, the commit message), revision
+  number or hash, or <a href="/help/revsets">revset expression</a>.</div>
+  </form>
+  
+  <div class="description">
+  <p>
+  An error occurred while processing your request:
+  </p>
+  <p>
+  no such method: api
+  </p>
+  </div>
+  </div>
+  </div>
+  
+  
+  
+  </body>
+  </html>
+  
+  [1]
 
 Restart server with support for API server