recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Provide an explicit "-R" flag to "hg serve"

Summary:
See <https://discourse.phabricator-community.org/t/unable-to-use-current-mercurial-on-debian-stretch/391>.

The Mercurial commit is helpful in particular: <https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499>

We weren't vulnerable to the security issue (users can not control any part of the command) but pass the working directory explicitly to get past the new safety check.

I left `setCWD()` in place (a few lines below) just because it can't hurt, and in some other contexts it sometimes matter (for example, if commit hooks execute, they might inherit the parent CWD here or in other VCSes).

Test Plan:
- Cloned from a Mercurial repo locally over HTTP.
- Verified that SSH cloning already uses `-R` (it does, see `DiffusionMercurialServeSSHWorkflow`).
- Did not actually upgrade to Mercurial 4.0/4.1.3 to completely verify this, but a user in the Discourse thread asserted that a substantially similar fix worked correctly.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D18611

epriestley bd923d1c 5ae3af66

+4 -1
+4 -1
src/applications/diffusion/controller/DiffusionServeController.php
··· 768 768 $input = strlen($input)."\n".$input."0\n"; 769 769 } 770 770 771 - $command = csprintf('%s serve --stdio', $bin); 771 + $command = csprintf( 772 + '%s serve -R %s --stdio', 773 + $bin, 774 + $repository->getLocalPath()); 772 775 $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 773 776 774 777 list($err, $stdout, $stderr) = id(new ExecFuture('%C', $command))