SCM-Manager

Nemcio/SCM-Manager

Fork 0

mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-11 07:55:47 +01:00

Commit Graph

Author	SHA1	Message	Date
Sebastian Sdorra	b43e406b76	#970 initial support of mercurials httppostargs protocol	2018-03-30 11:20:22 +02:00
Sebastian Sdorra	8aaa67cd6a	#970 inspect mercurial commands in order to detect write requests The HgPermissionFilter will now inspect the used mercurial command, of all requests which are using a read method like GET, HEAD, OPTIONS or TRACE and tread every one as write request, expect: - no command was specified with the request (this is required for the hgweb ui) - the command in the query string was found in the list of read commands - if query string contains the batch command, then all commands specified in X-HgArg headers must be in the list of read commands This change is required, in order to fix CVE-2018-1000132 for SCM-Manager.	2018-03-29 20:26:56 +02:00

Author

SHA1

Message

Date

Sebastian Sdorra

b43e406b76

#970 initial support of mercurials httppostargs protocol

2018-03-30 11:20:22 +02:00

Sebastian Sdorra

8aaa67cd6a

#970 inspect mercurial commands in order to detect write requests

The HgPermissionFilter will now inspect the used mercurial command, of all requests which are using a read method like GET, HEAD, OPTIONS or TRACE and tread every one as write request, expect:
- no command was specified with the request (this is required for the hgweb ui)
- the command in the query string was found in the list of read commands
- if query string contains the batch command, then all commands specified in X-HgArg headers must be in the list of read commands
This change is required, in order to fix CVE-2018-1000132 for SCM-Manager.

2018-03-29 20:26:56 +02:00

2 Commits