Mercurial > public > mercurial-scm > hg-stable
diff mercurial/streamclone.py @ 32764:33b7283a3828
streamclone: consider secret changesets (BC) (issue5589)
Previously, a repo containing secret changesets would be served via
stream clone, transferring those secret changesets. While secret
changesets aren't meant to imply strong security (if you really
want to keep them secret, others shouldn't have read access to the
repo), we should at least make an effort to protect secret changesets
when possible.
After this commit, we no longer serve stream clones for repos
containing secret changesets by default. This is backwards
incompatible behavior. In case anyone is relying on the behavior,
we provide a config option to opt into the old behavior.
Note that this defense is only beneficial for remote repos
accessed via the wire protocol: if a client has access to the
files backing a repo, they can get to the raw data and see secret
revisions.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Fri, 09 Jun 2017 10:41:13 -0700 |
| parents | 076f1ff43f0f |
| children | b045344fe35e |
line wrap: on
line diff
--- a/mercurial/streamclone.py Fri Jun 09 21:33:15 2017 +0900 +++ b/mercurial/streamclone.py Fri Jun 09 10:41:13 2017 -0700 @@ -13,6 +13,7 @@ from . import ( branchmap, error, + phases, store, util, ) @@ -162,9 +163,18 @@ repo.invalidate() -def allowservergeneration(ui): +def allowservergeneration(repo): """Whether streaming clones are allowed from the server.""" - return ui.configbool('server', 'uncompressed', True, untrusted=True) + if not repo.ui.configbool('server', 'uncompressed', True, untrusted=True): + return False + + # The way stream clone works makes it impossible to hide secret changesets. + # So don't allow this by default. + secret = phases.hassecret(repo) + if secret: + return repo.ui.configbool('server', 'uncompressedallowsecret', False) + + return True # This is it's own function so extensions can override it. def _walkstreamfiles(repo):