Mercurial > public > mercurial-scm > hg

diff mercurial/ui.py @ 30832:da5fa0f13a41

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ui: introduce an experimental dict of exportable environment variables Care needs to be taken to prevent leaking potentially sensitive environment variables through hgweb, if template support for environment variables is to be introduced. There are a few ideas about the API for preventing accidental leaking [1]. Option 3 seems best from the POV of not needing to configure anything in the normal case. I couldn't figure out how to do that, so guard it with an experimental option for now. [1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-January/092383.html
author Matt Harbison <matt_harbison@yahoo.com>
date Tue, 17 Jan 2017 23:05:12 -0500
parents b96c57c1f860
children bcad61a1f9a7
line wrap: on
line diff
--- a/mercurial/ui.py	Tue Jan 17 13:44:53 2017 +0800
+++ b/mercurial/ui.py	Tue Jan 17 23:05:12 2017 -0500
@@ -147,6 +147,15 @@
 
             self.httppasswordmgrdb = urlreq.httppasswordmgrwithdefaultrealm()
 
+        allowed = self.configlist('experimental', 'exportableenviron')
+        if '*' in allowed:
+            self._exportableenviron = self.environ
+        else:
+            self._exportableenviron = {}
+            for k in allowed:
+                if k in self.environ:
+                    self._exportableenviron[k] = self.environ[k]
+
     @classmethod
     def load(cls):
         """Create a ui and load global and user configs"""
@@ -1211,6 +1220,12 @@
                 " update your code.)") % version
         self.develwarn(msg, stacklevel=2, config='deprec-warn')
 
+    def exportableenviron(self):
+        """The environment variables that are safe to export, e.g. through
+        hgweb.
+        """
+        return self._exportableenviron
+
     @contextlib.contextmanager
     def configoverride(self, overrides, source=""):
         """Context manager for temporary config overrides