diff -r ff4bc0ab6740 -r 2ecb0fc535b1 mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py	Tue Feb 20 18:55:58 2018 -0800
+++ b/mercurial/hgweb/hgweb_mod.py	Sun Feb 18 17:20:38 2018 -0800
@@ -362,8 +362,11 @@
                     raise ErrorResponse(HTTP_NOT_FOUND)
 
                 req.checkperm = lambda op: self.check_perm(rctx, req, op)
-                if cmd in perms:
-                    req.checkperm(perms[cmd])
+                # Assume commands with no defined permissions are writes /
+                # for pushes. This is the safest from a security perspective
+                # because it doesn't allow commands with undefined semantics
+                # from bypassing permissions checks.
+                req.checkperm(perms.get(cmd, 'push'))
                 return protocol.call(rctx.repo, req, cmd)
             except ErrorResponse as inst:
                 # A client that sends unbundle without 100-continue will