Mercurial > public > mercurial-scm > hg-stable

comparison mercurial/hgweb/protocol.py @ 6335:e29557d687c9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: only accept POST requests for unbundle
author Dirkjan Ochtman <dirkjan@ochtman.nl>
date Fri, 21 Mar 2008 00:55:53 +0100
parents be76e54570f0
children 8542fac26f63
comparison
equal deleted inserted replaced
6334:7016f7fb8fe3 6335:e29557d687c9
104 resp = ' '.join(web.capabilities()) 104 resp = ' '.join(web.capabilities())
105 req.respond(HTTP_OK, HGTYPE, length=len(resp)) 105 req.respond(HTTP_OK, HGTYPE, length=len(resp))
106 req.write(resp) 106 req.write(resp)
107 107
108 def unbundle(web, req): 108 def unbundle(web, req):
109
109 def bail(response, headers={}): 110 def bail(response, headers={}):
110 length = int(req.env['CONTENT_LENGTH']) 111 length = int(req.env.get('CONTENT_LENGTH', 0))
111 for s in util.filechunkiter(req, limit=length): 112 for s in util.filechunkiter(req, limit=length):
112 # drain incoming bundle, else client will not see 113 # drain incoming bundle, else client will not see
113 # response when run outside cgi script 114 # response when run outside cgi script
114 pass 115 pass
116
117 status = headers.pop('status', HTTP_OK)
115 req.header(headers.items()) 118 req.header(headers.items())
116 req.respond(HTTP_OK, HGTYPE) 119 req.respond(status, HGTYPE)
117 req.write('0\n') 120 req.write('0\n')
118 req.write(response) 121 req.write(response)
122
123 # enforce that you can only unbundle with POST requests
124 if req.env['REQUEST_METHOD'] != 'POST':
125 headers = {'status': '405 Method Not Allowed'}
126 bail('unbundle requires POST request\n', headers)
127 return
119 128
120 # require ssl by default, auth info cannot be sniffed and 129 # require ssl by default, auth info cannot be sniffed and
121 # replayed 130 # replayed
122 ssl_req = web.configbool('web', 'push_ssl', True) 131 ssl_req = web.configbool('web', 'push_ssl', True)
123 if ssl_req: 132 if ssl_req:
128 else: 137 else:
129 proto = 'http' 138 proto = 'http'
130 139
131 # do not allow push unless explicitly allowed 140 # do not allow push unless explicitly allowed
132 if not web.check_perm(req, 'push', False): 141 if not web.check_perm(req, 'push', False):
133 bail('push not authorized\n', 142 bail('push not authorized\n', headers={'status': '401 Unauthorized'})
134 headers={'status': '401 Unauthorized'})
135 return 143 return
136 144
137 their_heads = req.form['heads'][0].split(' ') 145 their_heads = req.form['heads'][0].split(' ')
138 146
139 def check_heads(): 147 def check_heads():