153 signal.signal(num, catchterm) |
153 signal.signal(num, catchterm) |
154 except ValueError: |
154 except ValueError: |
155 pass # happens if called in a thread |
155 pass # happens if called in a thread |
156 |
156 |
157 def _runcatchfunc(): |
157 def _runcatchfunc(): |
|
158 realcmd = None |
|
159 try: |
|
160 cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {}) |
|
161 cmd = cmdargs[0] |
|
162 aliases, entry = cmdutil.findcmd(cmd, commands.table, False) |
|
163 realcmd = aliases[0] |
|
164 except (error.UnknownCommand, error.AmbiguousCommand, |
|
165 IndexError, getopt.GetoptError): |
|
166 # Don't handle this here. We know the command is |
|
167 # invalid, but all we're worried about for now is that |
|
168 # it's not a command that server operators expect to |
|
169 # be safe to offer to users in a sandbox. |
|
170 pass |
|
171 if realcmd == 'serve' and '--stdio' in cmdargs: |
|
172 # We want to constrain 'hg serve --stdio' instances pretty |
|
173 # closely, as many shared-ssh access tools want to grant |
|
174 # access to run *only* 'hg -R $repo serve --stdio'. We |
|
175 # restrict to exactly that set of arguments, and prohibit |
|
176 # any repo name that starts with '--' to prevent |
|
177 # shenanigans wherein a user does something like pass |
|
178 # --debugger or --config=ui.debugger=1 as a repo |
|
179 # name. This used to actually run the debugger. |
|
180 if (len(req.args) != 4 or |
|
181 req.args[0] != '-R' or |
|
182 req.args[1].startswith('--') or |
|
183 req.args[2] != 'serve' or |
|
184 req.args[3] != '--stdio'): |
|
185 raise error.Abort( |
|
186 _('potentially unsafe serve --stdio invocation: %r') % |
|
187 (req.args,)) |
|
188 |
158 try: |
189 try: |
159 debugger = 'pdb' |
190 debugger = 'pdb' |
160 debugtrace = { |
191 debugtrace = { |
161 'pdb' : pdb.set_trace |
192 'pdb' : pdb.set_trace |
162 } |
193 } |