2006-06-02 19:05:01 +04:00
|
|
|
# hgweb/hgwebdir_mod.py - Web interface for a directory of repositories.
|
2006-05-31 21:42:44 +04:00
|
|
|
#
|
|
|
|
# Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net>
|
2006-08-12 23:30:02 +04:00
|
|
|
# Copyright 2005, 2006 Matt Mackall <mpm@selenic.com>
|
2006-05-31 21:42:44 +04:00
|
|
|
#
|
2009-04-26 03:08:54 +04:00
|
|
|
# This software may be used and distributed according to the terms of the
|
2010-01-20 07:20:08 +03:00
|
|
|
# GNU General Public License version 2 or any later version.
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2015-10-31 16:07:40 +03:00
|
|
|
from __future__ import absolute_import
|
|
|
|
|
|
|
|
import os
|
|
|
|
import re
|
|
|
|
import time
|
|
|
|
|
|
|
|
from ..i18n import _
|
|
|
|
|
|
|
|
from .common import (
|
|
|
|
ErrorResponse,
|
|
|
|
HTTP_NOT_FOUND,
|
|
|
|
HTTP_OK,
|
|
|
|
HTTP_SERVER_ERROR,
|
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
2017-01-11 10:37:08 +03:00
|
|
|
cspvalues,
|
2015-10-31 16:07:40 +03:00
|
|
|
get_contact,
|
|
|
|
get_mtime,
|
|
|
|
ismember,
|
|
|
|
paritygen,
|
|
|
|
staticfile,
|
|
|
|
)
|
|
|
|
from .request import wsgirequest
|
|
|
|
|
|
|
|
from .. import (
|
|
|
|
encoding,
|
|
|
|
error,
|
|
|
|
hg,
|
2016-08-15 04:37:24 +03:00
|
|
|
profiling,
|
2015-10-31 16:07:40 +03:00
|
|
|
scmutil,
|
|
|
|
templater,
|
|
|
|
ui as uimod,
|
|
|
|
util,
|
|
|
|
)
|
|
|
|
|
|
|
|
from . import (
|
|
|
|
hgweb_mod,
|
|
|
|
webutil,
|
|
|
|
wsgicgi,
|
|
|
|
)
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2009-04-27 13:37:08 +04:00
|
|
|
def cleannames(items):
|
|
|
|
return [(util.pconvert(name).strip('/'), path) for name, path in items]
|
|
|
|
|
2009-05-20 18:04:37 +04:00
|
|
|
def findrepos(paths):
|
2009-11-05 17:01:00 +03:00
|
|
|
repos = []
|
2009-05-20 18:04:37 +04:00
|
|
|
for prefix, root in cleannames(paths):
|
|
|
|
roothead, roottail = os.path.split(root)
|
2012-06-21 14:50:15 +04:00
|
|
|
# "foo = /bar/*" or "foo = /bar/**" lets every repo /bar/N in or below
|
|
|
|
# /bar/ be served as as foo/N .
|
|
|
|
# '*' will not search inside dirs with .hg (except .hg/patches),
|
|
|
|
# '**' will search inside dirs with .hg (and thus also find subrepos).
|
2009-05-20 18:04:37 +04:00
|
|
|
try:
|
|
|
|
recurse = {'*': False, '**': True}[roottail]
|
|
|
|
except KeyError:
|
2009-11-05 17:01:00 +03:00
|
|
|
repos.append((prefix, root))
|
2009-05-20 18:04:37 +04:00
|
|
|
continue
|
2010-07-22 00:22:28 +04:00
|
|
|
roothead = os.path.normpath(os.path.abspath(roothead))
|
2011-04-21 18:06:19 +04:00
|
|
|
paths = scmutil.walkrepos(roothead, followsym=True, recurse=recurse)
|
2011-02-15 03:04:10 +03:00
|
|
|
repos.extend(urlrepos(prefix, roothead, paths))
|
2009-11-05 17:01:00 +03:00
|
|
|
return repos
|
2009-05-20 18:04:37 +04:00
|
|
|
|
2011-02-15 03:04:10 +03:00
|
|
|
def urlrepos(prefix, roothead, paths):
|
|
|
|
"""yield url paths and filesystem paths from a list of repo paths
|
|
|
|
|
2011-03-06 16:17:47 +03:00
|
|
|
>>> conv = lambda seq: [(v, util.pconvert(p)) for v,p in seq]
|
|
|
|
>>> conv(urlrepos('hg', '/opt', ['/opt/r', '/opt/r/r', '/opt']))
|
2011-02-15 03:04:10 +03:00
|
|
|
[('hg/r', '/opt/r'), ('hg/r/r', '/opt/r/r'), ('hg', '/opt')]
|
2011-03-06 16:17:47 +03:00
|
|
|
>>> conv(urlrepos('', '/opt', ['/opt/r', '/opt/r/r', '/opt']))
|
2011-02-15 03:04:10 +03:00
|
|
|
[('r', '/opt/r'), ('r/r', '/opt/r/r'), ('', '/opt')]
|
|
|
|
"""
|
|
|
|
for path in paths:
|
|
|
|
path = os.path.normpath(path)
|
2011-02-15 03:04:10 +03:00
|
|
|
yield (prefix + '/' +
|
|
|
|
util.pconvert(path[len(roothead):]).lstrip('/')).strip('/'), path
|
2011-02-15 03:04:10 +03:00
|
|
|
|
2011-08-01 23:53:10 +04:00
|
|
|
def geturlcgivars(baseurl, port):
|
|
|
|
"""
|
|
|
|
Extract CGI variables from baseurl
|
|
|
|
|
|
|
|
>>> geturlcgivars("http://host.org/base", "80")
|
|
|
|
('host.org', '80', '/base')
|
|
|
|
>>> geturlcgivars("http://host.org:8000/base", "80")
|
|
|
|
('host.org', '8000', '/base')
|
|
|
|
>>> geturlcgivars('/base', 8000)
|
|
|
|
('', '8000', '/base')
|
|
|
|
>>> geturlcgivars("base", '8000')
|
|
|
|
('', '8000', '/base')
|
|
|
|
>>> geturlcgivars("http://host", '8000')
|
|
|
|
('host', '8000', '/')
|
|
|
|
>>> geturlcgivars("http://host/", '8000')
|
|
|
|
('host', '8000', '/')
|
|
|
|
"""
|
|
|
|
u = util.url(baseurl)
|
|
|
|
name = u.host or ''
|
|
|
|
if u.port:
|
|
|
|
port = u.port
|
|
|
|
path = u.path or ""
|
|
|
|
if not path.startswith('/'):
|
|
|
|
path = '/' + path
|
|
|
|
|
|
|
|
return name, str(port), path
|
|
|
|
|
2006-05-31 21:42:44 +04:00
|
|
|
class hgwebdir(object):
|
2015-08-22 23:58:59 +03:00
|
|
|
"""HTTP server for multiple repositories.
|
|
|
|
|
|
|
|
Given a configuration, different repositories will be served depending
|
|
|
|
on the request path.
|
|
|
|
|
|
|
|
Instances are typically used as WSGI applications.
|
|
|
|
"""
|
2009-04-27 01:50:43 +04:00
|
|
|
def __init__(self, conf, baseui=None):
|
2009-05-14 00:30:28 +04:00
|
|
|
self.conf = conf
|
|
|
|
self.baseui = baseui
|
2015-08-23 08:59:51 +03:00
|
|
|
self.ui = None
|
2009-05-14 00:30:28 +04:00
|
|
|
self.lastrefresh = 0
|
2009-11-22 13:25:01 +03:00
|
|
|
self.motd = None
|
2009-05-14 00:30:28 +04:00
|
|
|
self.refresh()
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2009-05-14 00:30:28 +04:00
|
|
|
def refresh(self):
|
2015-08-23 08:59:51 +03:00
|
|
|
refreshinterval = 20
|
|
|
|
if self.ui:
|
|
|
|
refreshinterval = self.ui.configint('web', 'refreshinterval',
|
|
|
|
refreshinterval)
|
|
|
|
|
|
|
|
# refreshinterval <= 0 means to always refresh.
|
|
|
|
if (refreshinterval > 0 and
|
|
|
|
self.lastrefresh + refreshinterval > time.time()):
|
2009-05-14 00:30:28 +04:00
|
|
|
return
|
|
|
|
|
|
|
|
if self.baseui:
|
2010-05-14 21:57:24 +04:00
|
|
|
u = self.baseui.copy()
|
2009-04-24 00:40:10 +04:00
|
|
|
else:
|
2016-10-22 08:35:10 +03:00
|
|
|
u = uimod.ui.load()
|
2014-03-19 05:45:14 +04:00
|
|
|
u.setconfig('ui', 'report_untrusted', 'off', 'hgwebdir')
|
|
|
|
u.setconfig('ui', 'nontty', 'true', 'hgwebdir')
|
2015-06-08 03:14:17 +03:00
|
|
|
# displaying bundling progress bar while serving feels wrong and may
|
|
|
|
# break some wsgi implementations.
|
|
|
|
u.setconfig('progress', 'disable', 'true', 'hgweb')
|
2009-04-24 00:40:10 +04:00
|
|
|
|
2009-05-20 18:04:37 +04:00
|
|
|
if not isinstance(self.conf, (dict, list, tuple)):
|
|
|
|
map = {'paths': 'hgweb-paths'}
|
2010-12-30 00:23:16 +03:00
|
|
|
if not os.path.exists(self.conf):
|
2015-10-08 22:55:45 +03:00
|
|
|
raise error.Abort(_('config file %s not found!') % self.conf)
|
2010-05-14 21:57:24 +04:00
|
|
|
u.readconfig(self.conf, remap=map, trust=True)
|
2011-03-16 05:06:57 +03:00
|
|
|
paths = []
|
|
|
|
for name, ignored in u.configitems('hgweb-paths'):
|
|
|
|
for path in u.configlist('hgweb-paths', name):
|
|
|
|
paths.append((name, path))
|
2009-05-20 18:04:37 +04:00
|
|
|
elif isinstance(self.conf, (list, tuple)):
|
|
|
|
paths = self.conf
|
|
|
|
elif isinstance(self.conf, dict):
|
|
|
|
paths = self.conf.items()
|
2009-05-11 16:20:18 +04:00
|
|
|
|
2010-05-14 21:57:24 +04:00
|
|
|
repos = findrepos(paths)
|
|
|
|
for prefix, root in u.configitems('collections'):
|
2009-05-22 00:41:18 +04:00
|
|
|
prefix = util.pconvert(prefix)
|
2011-04-21 18:06:19 +04:00
|
|
|
for path in scmutil.walkrepos(root, followsym=True):
|
2009-05-14 17:24:36 +04:00
|
|
|
repo = os.path.normpath(path)
|
2009-05-22 00:41:18 +04:00
|
|
|
name = util.pconvert(repo)
|
2009-05-14 17:24:36 +04:00
|
|
|
if name.startswith(prefix):
|
|
|
|
name = name[len(prefix):]
|
2010-05-14 21:57:24 +04:00
|
|
|
repos.append((name.lstrip('/'), repo))
|
2009-05-11 16:20:18 +04:00
|
|
|
|
2010-05-14 21:57:24 +04:00
|
|
|
self.repos = repos
|
|
|
|
self.ui = u
|
|
|
|
encoding.encoding = self.ui.config('web', 'encoding',
|
|
|
|
encoding.encoding)
|
|
|
|
self.style = self.ui.config('web', 'style', 'paper')
|
2010-07-12 18:07:58 +04:00
|
|
|
self.templatepath = self.ui.config('web', 'templates', None)
|
2010-05-14 21:57:24 +04:00
|
|
|
self.stripecount = self.ui.config('web', 'stripes', 1)
|
|
|
|
if self.stripecount:
|
|
|
|
self.stripecount = int(self.stripecount)
|
|
|
|
self._baseurl = self.ui.config('web', 'baseurl')
|
2013-02-01 01:36:22 +04:00
|
|
|
prefix = self.ui.config('web', 'prefix', '')
|
|
|
|
if prefix.startswith('/'):
|
|
|
|
prefix = prefix[1:]
|
|
|
|
if prefix.endswith('/'):
|
|
|
|
prefix = prefix[:-1]
|
|
|
|
self.prefix = prefix
|
2009-05-14 00:30:28 +04:00
|
|
|
self.lastrefresh = time.time()
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2006-06-30 06:06:18 +04:00
|
|
|
def run(self):
|
2016-12-17 23:24:36 +03:00
|
|
|
if not encoding.environ.get('GATEWAY_INTERFACE',
|
|
|
|
'').startswith("CGI/1."):
|
2009-05-31 03:30:16 +04:00
|
|
|
raise RuntimeError("This function is only intended to be "
|
|
|
|
"called while running as a CGI script.")
|
2007-11-30 20:23:18 +03:00
|
|
|
wsgicgi.launch(self)
|
|
|
|
|
|
|
|
def __call__(self, env, respond):
|
|
|
|
req = wsgirequest(env, respond)
|
2008-06-30 00:36:18 +04:00
|
|
|
return self.run_wsgi(req)
|
2006-06-30 06:06:18 +04:00
|
|
|
|
2008-10-31 17:28:06 +03:00
|
|
|
def read_allowed(self, ui, req):
|
|
|
|
"""Check allow_read and deny_read config options of a repo's ui object
|
|
|
|
to determine user permissions. By default, with neither option set (or
|
|
|
|
both empty), allow all users to read the repo. There are two ways a
|
|
|
|
user can be denied read access: (1) deny_read is not empty, and the
|
|
|
|
user is unauthenticated or deny_read contains user (or *), and (2)
|
|
|
|
allow_read is not empty and the user is not in allow_read. Return True
|
|
|
|
if user is allowed to read the repo, else return False."""
|
|
|
|
|
|
|
|
user = req.env.get('REMOTE_USER')
|
|
|
|
|
2009-01-03 23:44:15 +03:00
|
|
|
deny_read = ui.configlist('web', 'deny_read', untrusted=True)
|
2013-04-16 01:57:04 +04:00
|
|
|
if deny_read and (not user or ismember(ui, user, deny_read)):
|
2008-10-31 17:28:06 +03:00
|
|
|
return False
|
|
|
|
|
2009-01-03 23:44:15 +03:00
|
|
|
allow_read = ui.configlist('web', 'allow_read', untrusted=True)
|
2008-10-31 17:28:06 +03:00
|
|
|
# by default, allow reading if no allow_read option has been set
|
2013-04-16 01:57:04 +04:00
|
|
|
if (not allow_read) or ismember(ui, user, allow_read):
|
2008-10-31 17:28:06 +03:00
|
|
|
return True
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
2006-06-30 06:06:18 +04:00
|
|
|
def run_wsgi(self, req):
|
2017-06-09 14:29:29 +03:00
|
|
|
profile = self.ui.configbool('profiling', 'enabled')
|
|
|
|
with profiling.profile(self.ui, enabled=profile):
|
2016-08-15 04:37:24 +03:00
|
|
|
for r in self._runwsgi(req):
|
|
|
|
yield r
|
2016-08-15 02:03:30 +03:00
|
|
|
|
|
|
|
def _runwsgi(self, req):
|
2007-12-03 20:40:37 +03:00
|
|
|
try:
|
2015-05-15 17:56:27 +03:00
|
|
|
self.refresh()
|
|
|
|
|
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
2017-01-11 10:37:08 +03:00
|
|
|
csp, nonce = cspvalues(self.ui)
|
|
|
|
if csp:
|
|
|
|
req.headers.append(('Content-Security-Policy', csp))
|
|
|
|
|
2015-05-15 17:56:27 +03:00
|
|
|
virtual = req.env.get("PATH_INFO", "").strip('/')
|
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
2017-01-11 10:37:08 +03:00
|
|
|
tmpl = self.templater(req, nonce)
|
2015-05-15 17:56:27 +03:00
|
|
|
ctype = tmpl('mimetype', encoding=encoding.encoding)
|
|
|
|
ctype = templater.stringify(ctype)
|
|
|
|
|
|
|
|
# a static file
|
|
|
|
if virtual.startswith('static/') or 'static' in req.form:
|
|
|
|
if virtual.startswith('static/'):
|
|
|
|
fname = virtual[7:]
|
|
|
|
else:
|
|
|
|
fname = req.form['static'][0]
|
|
|
|
static = self.ui.config("web", "static", None,
|
|
|
|
untrusted=False)
|
|
|
|
if not static:
|
|
|
|
tp = self.templatepath or templater.templatepaths()
|
|
|
|
if isinstance(tp, str):
|
|
|
|
tp = [tp]
|
|
|
|
static = [os.path.join(p, 'static') for p in tp]
|
|
|
|
staticfile(static, fname, req)
|
|
|
|
return []
|
|
|
|
|
|
|
|
# top-level index
|
2017-03-06 06:22:32 +03:00
|
|
|
|
|
|
|
repos = dict(self.repos)
|
|
|
|
|
2017-04-01 06:00:41 +03:00
|
|
|
if (not virtual or virtual == 'index') and virtual not in repos:
|
2015-05-15 17:56:27 +03:00
|
|
|
req.respond(HTTP_OK, ctype)
|
|
|
|
return self.makeindex(req, tmpl)
|
|
|
|
|
|
|
|
# nested indexes and hgwebs
|
|
|
|
|
2017-03-06 06:22:32 +03:00
|
|
|
if virtual.endswith('/index') and virtual not in repos:
|
|
|
|
subdir = virtual[:-len('index')]
|
|
|
|
if any(r.startswith(subdir) for r in repos):
|
|
|
|
req.respond(HTTP_OK, ctype)
|
|
|
|
return self.makeindex(req, tmpl, subdir)
|
|
|
|
|
2017-04-01 06:00:41 +03:00
|
|
|
def _virtualdirs():
|
|
|
|
# Check the full virtual path, each parent, and the root ('')
|
|
|
|
if virtual != '':
|
|
|
|
yield virtual
|
|
|
|
|
|
|
|
for p in util.finddirs(virtual):
|
|
|
|
yield p
|
|
|
|
|
|
|
|
yield ''
|
|
|
|
|
|
|
|
for virtualrepo in _virtualdirs():
|
2015-05-15 17:56:27 +03:00
|
|
|
real = repos.get(virtualrepo)
|
|
|
|
if real:
|
|
|
|
req.env['REPO_NAME'] = virtualrepo
|
|
|
|
try:
|
|
|
|
# ensure caller gets private copy of ui
|
|
|
|
repo = hg.repository(self.ui.copy(), real)
|
2015-11-01 08:23:23 +03:00
|
|
|
return hgweb_mod.hgweb(repo).run_wsgi(req)
|
2015-06-24 08:20:08 +03:00
|
|
|
except IOError as inst:
|
2015-05-15 17:56:27 +03:00
|
|
|
msg = inst.strerror
|
|
|
|
raise ErrorResponse(HTTP_SERVER_ERROR, msg)
|
2015-06-24 08:20:08 +03:00
|
|
|
except error.RepoError as inst:
|
2015-05-15 17:56:27 +03:00
|
|
|
raise ErrorResponse(HTTP_SERVER_ERROR, str(inst))
|
|
|
|
|
|
|
|
# browse subdirectories
|
|
|
|
subdir = virtual + '/'
|
|
|
|
if [r for r in repos if r.startswith(subdir)]:
|
|
|
|
req.respond(HTTP_OK, ctype)
|
|
|
|
return self.makeindex(req, tmpl, subdir)
|
|
|
|
|
|
|
|
# prefixes not found
|
|
|
|
req.respond(HTTP_NOT_FOUND, ctype)
|
|
|
|
return tmpl("notfound", repo=virtual)
|
|
|
|
|
2015-06-24 08:20:08 +03:00
|
|
|
except ErrorResponse as err:
|
2015-05-15 17:56:27 +03:00
|
|
|
req.respond(err, ctype)
|
|
|
|
return tmpl('error', error=err.message or '')
|
2007-12-03 20:40:37 +03:00
|
|
|
finally:
|
|
|
|
tmpl = None
|
|
|
|
|
|
|
|
def makeindex(self, req, tmpl, subdir=""):
|
|
|
|
|
2006-05-31 21:42:44 +04:00
|
|
|
def archivelist(ui, nodeid, url):
|
2006-10-26 21:25:45 +04:00
|
|
|
allowed = ui.configlist("web", "allow_archive", untrusted=True)
|
2011-02-17 23:05:27 +03:00
|
|
|
archives = []
|
2017-01-10 18:41:58 +03:00
|
|
|
for typ, spec in hgweb_mod.archivespecs.iteritems():
|
|
|
|
if typ in allowed or ui.configbool("web", "allow" + typ,
|
2006-10-26 21:25:45 +04:00
|
|
|
untrusted=True):
|
2017-01-10 18:41:58 +03:00
|
|
|
archives.append({"type" : typ, "extension": spec[2],
|
2011-02-17 23:05:27 +03:00
|
|
|
"node": nodeid, "url": url})
|
|
|
|
return archives
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2010-03-06 14:45:14 +03:00
|
|
|
def rawentries(subdir="", **map):
|
2009-08-19 14:47:04 +04:00
|
|
|
|
|
|
|
descend = self.ui.configbool('web', 'descend', True)
|
2012-02-18 23:10:19 +04:00
|
|
|
collapse = self.ui.configbool('web', 'collapse', False)
|
|
|
|
seenrepos = set()
|
|
|
|
seendirs = set()
|
2006-05-31 21:42:44 +04:00
|
|
|
for name, path in self.repos:
|
2009-08-19 14:47:04 +04:00
|
|
|
|
2007-07-06 06:44:06 +04:00
|
|
|
if not name.startswith(subdir):
|
|
|
|
continue
|
2007-07-06 06:56:16 +04:00
|
|
|
name = name[len(subdir):]
|
2012-02-18 23:10:19 +04:00
|
|
|
directory = False
|
|
|
|
|
|
|
|
if '/' in name:
|
|
|
|
if not descend:
|
|
|
|
continue
|
|
|
|
|
|
|
|
nameparts = name.split('/')
|
|
|
|
rootname = nameparts[0]
|
|
|
|
|
|
|
|
if not collapse:
|
|
|
|
pass
|
|
|
|
elif rootname in seendirs:
|
|
|
|
continue
|
|
|
|
elif rootname in seenrepos:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
directory = True
|
|
|
|
name = rootname
|
|
|
|
|
|
|
|
# redefine the path to refer to the directory
|
|
|
|
discarded = '/'.join(nameparts[1:])
|
|
|
|
|
|
|
|
# remove name parts plus accompanying slash
|
|
|
|
path = path[:-len(discarded) - 1]
|
|
|
|
|
2015-06-02 01:06:20 +03:00
|
|
|
try:
|
|
|
|
r = hg.repository(self.ui, path)
|
|
|
|
directory = False
|
|
|
|
except (IOError, error.RepoError):
|
|
|
|
pass
|
|
|
|
|
2012-02-18 23:10:19 +04:00
|
|
|
parts = [name]
|
2017-03-06 06:22:32 +03:00
|
|
|
parts.insert(0, '/' + subdir.rstrip('/'))
|
2012-02-18 23:10:19 +04:00
|
|
|
if req.env['SCRIPT_NAME']:
|
|
|
|
parts.insert(0, req.env['SCRIPT_NAME'])
|
|
|
|
url = re.sub(r'/+', '/', '/'.join(parts) + '/')
|
|
|
|
|
|
|
|
# show either a directory entry or a repository
|
|
|
|
if directory:
|
|
|
|
# get the directory's time information
|
|
|
|
try:
|
|
|
|
d = (get_mtime(path), util.makedate()[1])
|
|
|
|
except OSError:
|
|
|
|
continue
|
|
|
|
|
2012-07-26 23:29:39 +04:00
|
|
|
# add '/' to the name to make it obvious that
|
|
|
|
# the entry is a directory, not a regular repository
|
2014-03-12 21:15:37 +04:00
|
|
|
row = {'contact': "",
|
|
|
|
'contact_sort': "",
|
|
|
|
'name': name + '/',
|
|
|
|
'name_sort': name,
|
|
|
|
'url': url,
|
|
|
|
'description': "",
|
|
|
|
'description_sort': "",
|
|
|
|
'lastchange': d,
|
|
|
|
'lastchange_sort': d[1]-d[0],
|
|
|
|
'archives': [],
|
2016-07-01 04:59:53 +03:00
|
|
|
'isdirectory': True,
|
|
|
|
'labels': [],
|
|
|
|
}
|
2012-02-18 23:10:19 +04:00
|
|
|
|
|
|
|
seendirs.add(name)
|
|
|
|
yield row
|
2009-08-19 14:47:04 +04:00
|
|
|
continue
|
2007-07-06 06:44:06 +04:00
|
|
|
|
2009-04-27 01:50:43 +04:00
|
|
|
u = self.ui.copy()
|
2006-05-31 21:42:44 +04:00
|
|
|
try:
|
|
|
|
u.readconfig(os.path.join(path, '.hg', 'hgrc'))
|
2015-06-24 08:20:08 +03:00
|
|
|
except Exception as e:
|
2008-08-16 16:46:56 +04:00
|
|
|
u.warn(_('error reading %s/.hg/hgrc: %s\n') % (path, e))
|
2007-09-25 02:00:11 +04:00
|
|
|
continue
|
2006-10-26 21:25:45 +04:00
|
|
|
def get(section, name, default=None):
|
|
|
|
return u.config(section, name, default, untrusted=True)
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2007-06-25 16:46:20 +04:00
|
|
|
if u.configbool("web", "hidden", untrusted=True):
|
|
|
|
continue
|
|
|
|
|
2008-10-31 17:28:06 +03:00
|
|
|
if not self.read_allowed(u, req):
|
|
|
|
continue
|
|
|
|
|
2006-05-31 21:42:44 +04:00
|
|
|
# update time with local timezone
|
|
|
|
try:
|
2009-12-15 23:33:04 +03:00
|
|
|
r = hg.repository(self.ui, path)
|
2011-03-29 20:33:10 +04:00
|
|
|
except IOError:
|
|
|
|
u.warn(_('error accessing repository at %s\n') % path)
|
|
|
|
continue
|
2010-08-24 18:30:51 +04:00
|
|
|
except error.RepoError:
|
|
|
|
u.warn(_('error accessing repository at %s\n') % path)
|
|
|
|
continue
|
|
|
|
try:
|
2009-12-15 23:33:04 +03:00
|
|
|
d = (get_mtime(r.spath), util.makedate()[1])
|
2006-05-31 21:42:44 +04:00
|
|
|
except OSError:
|
|
|
|
continue
|
|
|
|
|
2008-01-01 19:07:15 +03:00
|
|
|
contact = get_contact(get)
|
2006-05-31 21:42:44 +04:00
|
|
|
description = get("web", "description", "")
|
hgwebdir: avoid redundant repo and directory entries when 'web.name' is set
Previously, when 'web.name' was set on a subrepo parent and 'web.collapse=True',
the parent repo would show in the list with the configured 'web.name', and a
directory with the parent repo's filesystem name (with a trailing slash) would
also appear. The subrepo(s) would unexpectedly be excluded from the list of
repositories. Clicking the directory entry would go right to the repo page.
Now both the parent and the subrepos show up, without the additional directory
entry.
The configured hgweb paths used '**' for finding the repos in this scenario.
A couple of notes about the tests:
- The area where the subrepo was added has a comment that it tests subrepos,
though none previously existed there. One now does.
- The 'web.descend' option is required for collapse to work. I'm not sure what
the previous expectations were for the test. Nothing changed with it set,
prior to adding the code in this patch. It is however required for this test.
- The only output changes are for the hyperlinks, obviously because of the
'web.name' parameter.
- Without this code change, there would be an additional diff:
--- /usr/local/mercurial/tests/test-hgwebdir.t
+++ /usr/local/mercurial/tests/test-hgwebdir.t.err
@@ -951,7 +951,7 @@
/rcoll/notrepo/e/
/rcoll/notrepo/e/e2/
/rcoll/notrepo/f/
- /rcoll/notrepo/f/f2/
+ /rcoll/notrepo/f/
Test repositories inside intermediate directories
I'm not sure why the fancy name doesn't come out, but it is enough to
demonstrate that the parent is not listed redundantly, and the subrepo isn't
skipped.
2015-06-01 21:42:55 +03:00
|
|
|
seenrepos.add(name)
|
2006-05-31 21:42:44 +04:00
|
|
|
name = get("web", "name", name)
|
2014-03-12 21:15:37 +04:00
|
|
|
row = {'contact': contact or "unknown",
|
|
|
|
'contact_sort': contact.upper() or "unknown",
|
|
|
|
'name': name,
|
|
|
|
'name_sort': name,
|
|
|
|
'url': url,
|
|
|
|
'description': description or "unknown",
|
|
|
|
'description_sort': description.upper() or "unknown",
|
|
|
|
'lastchange': d,
|
|
|
|
'lastchange_sort': d[1]-d[0],
|
|
|
|
'archives': archivelist(u, "tip", url),
|
|
|
|
'isdirectory': None,
|
2016-07-01 04:59:53 +03:00
|
|
|
'labels': u.configlist('web', 'labels', untrusted=True),
|
2014-03-12 21:15:37 +04:00
|
|
|
}
|
2012-02-18 23:10:19 +04:00
|
|
|
|
2010-03-06 14:45:14 +03:00
|
|
|
yield row
|
|
|
|
|
|
|
|
sortdefault = None, False
|
|
|
|
def entries(sortcolumn="", descending=False, subdir="", **map):
|
|
|
|
rows = rawentries(subdir=subdir, **map)
|
|
|
|
|
|
|
|
if sortcolumn and sortdefault != (sortcolumn, descending):
|
|
|
|
sortkey = '%s_sort' % sortcolumn
|
|
|
|
rows = sorted(rows, key=lambda x: x[sortkey],
|
|
|
|
reverse=descending)
|
|
|
|
for row, parity in zip(rows, paritygen(self.stripecount)):
|
|
|
|
row['parity'] = parity
|
|
|
|
yield row
|
2006-05-31 21:42:44 +04:00
|
|
|
|
2009-05-14 00:30:28 +04:00
|
|
|
self.refresh()
|
2007-12-03 20:40:37 +03:00
|
|
|
sortable = ["name", "description", "contact", "lastchange"]
|
2009-05-11 16:19:49 +04:00
|
|
|
sortcolumn, descending = sortdefault
|
2008-01-20 16:39:25 +03:00
|
|
|
if 'sort' in req.form:
|
2007-12-03 20:40:37 +03:00
|
|
|
sortcolumn = req.form['sort'][0]
|
|
|
|
descending = sortcolumn.startswith('-')
|
|
|
|
if descending:
|
|
|
|
sortcolumn = sortcolumn[1:]
|
|
|
|
if sortcolumn not in sortable:
|
|
|
|
sortcolumn = ""
|
2007-07-21 12:30:51 +04:00
|
|
|
|
2007-12-03 20:40:37 +03:00
|
|
|
sort = [("sort_%s" % column,
|
|
|
|
"%s%s" % ((not descending and column == sortcolumn)
|
|
|
|
and "-" or "", column))
|
|
|
|
for column in sortable]
|
2008-01-22 12:45:55 +03:00
|
|
|
|
2009-05-14 00:30:28 +04:00
|
|
|
self.refresh()
|
2010-03-10 18:25:46 +03:00
|
|
|
self.updatereqenv(req.env)
|
2008-03-09 04:19:18 +03:00
|
|
|
|
2008-01-28 18:35:02 +03:00
|
|
|
return tmpl("index", entries=entries, subdir=subdir,
|
2015-11-01 08:23:23 +03:00
|
|
|
pathdef=hgweb_mod.makebreadcrumb('/' + subdir, self.prefix),
|
2008-01-28 18:35:02 +03:00
|
|
|
sortcolumn=sortcolumn, descending=descending,
|
|
|
|
**dict(sort))
|
2007-12-03 20:58:18 +03:00
|
|
|
|
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
2017-01-11 10:37:08 +03:00
|
|
|
def templater(self, req, nonce):
|
2007-12-03 20:58:18 +03:00
|
|
|
|
|
|
|
def motd(**map):
|
|
|
|
if self.motd is not None:
|
|
|
|
yield self.motd
|
|
|
|
else:
|
|
|
|
yield config('web', 'motd', '')
|
|
|
|
|
|
|
|
def config(section, name, default=None, untrusted=True):
|
2009-04-27 01:50:43 +04:00
|
|
|
return self.ui.config(section, name, default, untrusted)
|
2007-12-03 20:58:18 +03:00
|
|
|
|
2010-03-10 18:25:46 +03:00
|
|
|
self.updatereqenv(req.env)
|
2008-03-09 04:19:18 +03:00
|
|
|
|
2007-12-03 20:58:18 +03:00
|
|
|
url = req.env.get('SCRIPT_NAME', '')
|
|
|
|
if not url.endswith('/'):
|
|
|
|
url += '/'
|
|
|
|
|
2009-04-27 13:37:30 +04:00
|
|
|
vars = {}
|
2009-11-12 18:39:11 +03:00
|
|
|
styles = (
|
|
|
|
req.form.get('style', [None])[0],
|
|
|
|
config('web', 'style'),
|
|
|
|
'paper'
|
|
|
|
)
|
2010-07-12 18:07:58 +04:00
|
|
|
style, mapfile = templater.stylemap(styles, self.templatepath)
|
2009-11-12 18:39:11 +03:00
|
|
|
if style == styles[0]:
|
|
|
|
vars['style'] = style
|
2010-01-25 09:05:27 +03:00
|
|
|
|
2009-04-27 13:37:30 +04:00
|
|
|
start = url[-1] == '?' and '&' or '?'
|
|
|
|
sessionvars = webutil.sessionvars(vars, start)
|
2015-09-30 23:43:49 +03:00
|
|
|
logourl = config('web', 'logourl', 'https://mercurial-scm.org/')
|
2011-07-21 17:10:16 +04:00
|
|
|
logoimg = config('web', 'logoimg', 'hglogo.png')
|
2007-12-03 20:58:18 +03:00
|
|
|
staticurl = config('web', 'staticurl') or url + 'static/'
|
|
|
|
if not staticurl.endswith('/'):
|
|
|
|
staticurl += '/'
|
|
|
|
|
2016-04-03 17:26:48 +03:00
|
|
|
defaults = {
|
|
|
|
"encoding": encoding.encoding,
|
|
|
|
"motd": motd,
|
|
|
|
"url": url,
|
|
|
|
"logourl": logourl,
|
|
|
|
"logoimg": logoimg,
|
|
|
|
"staticurl": staticurl,
|
|
|
|
"sessionvars": sessionvars,
|
|
|
|
"style": style,
|
hgweb: support Content Security Policy
Content-Security-Policy (CSP) is a web security feature that allows
servers to declare what loaded content is allowed to do. For example,
a policy can prevent loading of images, JavaScript, CSS, etc unless
the source of that content is whitelisted (by hostname, URI scheme,
hashes of content, etc). It's a nifty security feature that provides
extra mitigation against some attacks, notably XSS.
Mitigation against these attacks is important for Mercurial because
hgweb renders repository data, which is commonly untrusted. While we
make attempts to escape things, etc, there's the possibility that
malicious data could be injected into the site content. If this happens
today, the full power of the web browser is available to that
malicious content. A restrictive CSP policy (defined by the server
operator and sent in an HTTP header which is outside the control of
malicious content), could restrict browser capabilities and mitigate
security problems posed by malicious data.
CSP works by emitting an HTTP header declaring the policy that browsers
should apply. Ideally, this header would be emitted by a layer above
Mercurial (likely the HTTP server doing the WSGI "proxying"). This
works for some CSP policies, but not all.
For example, policies to allow inline JavaScript may require setting
a "nonce" attribute on <script>. This attribute value must be unique
and non-guessable. And, the value must be present in the HTTP header
and the HTML body. This means that coordinating the value between
Mercurial and another HTTP server could be difficult: it is much
easier to generate and emit the nonce in a central location.
This commit introduces support for emitting a
Content-Security-Policy header from hgweb. A config option defines
the header value. If present, the header is emitted. A special
"%nonce%" syntax in the value triggers generation of a nonce and
inclusion in <script> elements in templates. The inclusion of a
nonce does not occur unless "%nonce%" is present. This makes this
commit completely backwards compatible and the feature opt-in.
The nonce is a type 4 UUID, which is the flavor that is randomly
generated. It has 122 random bits, which should be plenty to satisfy
the guarantees of a nonce.
2017-01-11 10:37:08 +03:00
|
|
|
"nonce": nonce,
|
2016-04-03 17:26:48 +03:00
|
|
|
}
|
|
|
|
tmpl = templater.templater.frommapfile(mapfile, defaults=defaults)
|
2007-12-03 20:58:18 +03:00
|
|
|
return tmpl
|
2010-03-10 18:25:46 +03:00
|
|
|
|
|
|
|
def updatereqenv(self, env):
|
|
|
|
if self._baseurl is not None:
|
2011-08-01 23:53:10 +04:00
|
|
|
name, port, path = geturlcgivars(self._baseurl, env['SERVER_PORT'])
|
|
|
|
env['SERVER_NAME'] = name
|
|
|
|
env['SERVER_PORT'] = port
|
2011-08-01 11:48:10 +04:00
|
|
|
env['SCRIPT_NAME'] = path
|