( )⚙ D2738 hgweb: only recognize wire protocol commands from query string (BC)

This is an archive of the discontinued Mercurial Phabricator instance.

hgweb: only recognize wire protocol commands from query string (BC)
ClosedPublic

Authored by indygreg on Mar 8 2018, 8:06 PM.

Details

Summary

Previously, we attempted to parse the wire protocol command from
req.form. Data could have come from the query string or POST
form data.

The wire protocol states that the command must be declared in the
query string. And AFAICT all Mercurial releases from at least 1.0
send the command in the query string.

So let's actual require this behavior.

This is technically BC. But I'm not sure how anyone in the wild
would encounter this. POST has historically been used for sending
bundle data. So there's no opportunity to encode arguments there.
And the experimental HTTP POST args also takes over the body. So
the only way someone would be impacted by this is if they wrote
a custom client that both used POST for everything and sent arguments
via the HTTP body. I don't believe such a client exists.

.. bc::

The HTTP wire protocol server no longer accepts the ``cmd``
argument to control which command to run via HTTP POST bodies.
The ``cmd`` argument must be specified on the URL query string.

Diff Detail

Repository
rHG Mercurial
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

indygreg created this revision.Mar 8 2018, 8:06 PM
durin42 accepted this revision.Mar 9 2018, 2:04 PM
This revision is now accepted and ready to land.Mar 9 2018, 2:04 PM
This revision was automatically updated to reflect the committed changes.