[3.7] mercurial: HTTP server permissions bypass (CVE-2018-1000132)
All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:
Perform writes on repositories that should be read-only.
Perform reads on repositories that shouldn’t allow read access.
Wire protocol commands that didn’t explicitly declare their permissions
had no permissions checking done.
The web.{allow-pull, allow-push, deny_read, etc} config options
governing access control were never consulted
when running these commands. This allowed permissions bypass for
impacted commands.
The batch wire protocol command did not list its permission requirements
nor did it enforce permissions on individual sub-commands.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.5.1*.2F\_4.5.2*.282018-03-06.29
Patch:
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1
(from redmine: issue id 8826, created on 2018-04-24, closed on 2018-07-30)
- Relations:
- copied_to #8825 (closed)
- parent #8825 (closed)
- Changesets:
- Revision 1e894904 by Natanael Copa on 2018-07-30T07:51:46Z:
main/mercurial: security upgrade to 4.5.2 (CVE-2018-1000132)
fixes #8826