Mercurial > hg > mercurial-crew-with-dirclash
view tests/test-archive @ 3541:881064004fd0
use untrusted settings in hgweb
The only exceptions are web.static and web.templates, since they can
be used to get any file that is readable by the user running the CGI
script.
Other options can be (ab)used to increase the use of the cpu
(allow_bz2) or of the bandwidth (server.uncompressed), but they're
trusted anyway.
| author | Alexis S. L. Carvalho <alexis@cecm.usp.br> |
|---|---|
| date | Thu, 26 Oct 2006 19:25:45 +0200 |
| parents | 83cfd95eafb5 |
| children | ca023b63ba1f |
line wrap: on
line source
#!/bin/sh mkdir test cd test hg init echo foo>foo hg addremove hg commit -m 1 echo bar>bar hg addremove hg commit -m 2 mkdir baz echo bletch>baz/bletch hg addremove hg commit -m 3 echo "[web]" >> .hg/hgrc echo "name = test-archive" >> .hg/hgrc echo "allow_archive = gz bz2, zip" >> .hg/hgrc hg serve -p 20059 -d --pid-file=hg.pid cat hg.pid >> $DAEMON_PIDS TIP=`hg id -v | cut -f1 -d' '` QTIP=`hg id -q` cat > getarchive.py <<EOF import sys, urllib2 node, archive = sys.argv[1:] f = urllib2.urlopen('http://127.0.0.1:20059/?cmd=archive;node=%s;type=%s' % (node, archive)) sys.stdout.write(f.read()) EOF http_proxy= python getarchive.py "$TIP" gz | gunzip | tar tf - | sed "s/$QTIP/TIP/" http_proxy= python getarchive.py "$TIP" bz2 | bunzip2 | tar tf - | sed "s/$QTIP/TIP/" http_proxy= python getarchive.py "$TIP" zip > archive.zip unzip -t archive.zip | sed "s/$QTIP/TIP/" hg archive -t tar test.tar tar tf test.tar hg archive -t tbz2 -X baz test.tar.bz2 bunzip2 -dc test.tar.bz2 | tar tf - hg archive -t tgz -p %b-%h test-%h.tar.gz gzip -dc test-$QTIP.tar.gz | tar tf - | sed "s/$QTIP/TIP/" hg archive -t zip -p /illegal test.zip hg archive -t zip -p very/../bad test.zip hg archive -t zip -r 2 test.zip unzip -t test.zip hg archive -t tar - | tar tf - | sed "s/$QTIP/TIP/"