Mercurial Mercurial > public > mercurial-scm > hg / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/hgweb/hgweb_mod.py
branchstable
changeset 36756 2ecb0fc535b1
parent 36755 ff4bc0ab6740
child 36760 7bf80d9d9543 
--- a/mercurial/hgweb/hgweb_mod.py	Tue Feb 20 18:55:58 2018 -0800
+++ b/mercurial/hgweb/hgweb_mod.py	Sun Feb 18 17:20:38 2018 -0800
@@ -362,8 +362,11 @@
                     raise ErrorResponse(HTTP_NOT_FOUND)
 
                 req.checkperm = lambda op: self.check_perm(rctx, req, op)
-                if cmd in perms:
-                    req.checkperm(perms[cmd])
+                # Assume commands with no defined permissions are writes /
+                # for pushes. This is the safest from a security perspective
+                # because it doesn't allow commands with undefined semantics
+                # from bypassing permissions checks.
+                req.checkperm(perms.get(cmd, 'push'))
                 return protocol.call(rctx.repo, req, cmd)
             except ErrorResponse as inst:
                 # A client that sends unbundle without 100-continue will
mercurial-scm/hg