Mercurial > public > mercurial-scm > hg
diff mercurial/hgweb/protocol.py @ 6335:e29557d687c9
hgweb: only accept POST requests for unbundle
| author | Dirkjan Ochtman <dirkjan@ochtman.nl> |
|---|---|
| date | Fri, 21 Mar 2008 00:55:53 +0100 |
| parents | be76e54570f0 |
| children | 8542fac26f63 |
line wrap: on
line diff
--- a/mercurial/hgweb/protocol.py Fri Mar 21 00:39:39 2008 +0100 +++ b/mercurial/hgweb/protocol.py Fri Mar 21 00:55:53 2008 +0100 @@ -106,17 +106,26 @@ req.write(resp) def unbundle(web, req): + def bail(response, headers={}): - length = int(req.env['CONTENT_LENGTH']) + length = int(req.env.get('CONTENT_LENGTH', 0)) for s in util.filechunkiter(req, limit=length): # drain incoming bundle, else client will not see # response when run outside cgi script pass + + status = headers.pop('status', HTTP_OK) req.header(headers.items()) - req.respond(HTTP_OK, HGTYPE) + req.respond(status, HGTYPE) req.write('0\n') req.write(response) + # enforce that you can only unbundle with POST requests + if req.env['REQUEST_METHOD'] != 'POST': + headers = {'status': '405 Method Not Allowed'} + bail('unbundle requires POST request\n', headers) + return + # require ssl by default, auth info cannot be sniffed and # replayed ssl_req = web.configbool('web', 'push_ssl', True) @@ -130,8 +139,7 @@ # do not allow push unless explicitly allowed if not web.check_perm(req, 'push', False): - bail('push not authorized\n', - headers={'status': '401 Unauthorized'}) + bail('push not authorized\n', headers={'status': '401 Unauthorized'}) return their_heads = req.form['heads'][0].split(' ')