context: use a the nofsauditor when matching file in history (issue4749) Before this change, asking for file from history (eg: 'hg cat -r 42 foo/bar') could fail because of the current content of the working copy (eg: current "foo" being a symlink). As the working copy state have no influence on the content of the history, we can safely skip these checks. The working copy context class have a different 'match' implementation. That implementation still use the repo.auditor will still catch symlink traversal. I've audited all stuff calling "match" and they all go through a ctx in a sensible way. The most unclear case was diff which still seemed okay. You raised my paranoid level today and I double checked through tests. They behave properly. The odds of someone using the wrong (matching with a changectx for operation that will eventually touch the file system) is non-zero because you are never sure of what people will do. But I dunno if we can fight against that. So I would not commit to "never" for "at this level" and "in the future" if someone write especially bad code. However, as a last defense, the vfs itself is running path auditor in all cases outside of .hg/. So I think anything passing the 'matcher' for buggy reason would growl at the vfs layer.

+
−# A dummy extension that installs an hgweb command that throws an Exception.
+
−
+
−from mercurial.hgweb import webcommands
+
−
+
−def raiseerror(web, req, tmpl):
+
−    '''Dummy web command that raises an uncaught Exception.'''
+
−
+
−    # Simulate an error after partial response.
+
−    if 'partialresponse' in req.form:
+
−        req.respond(200, 'text/plain')
+
−        req.write('partial content\n')
+
−
+
−    raise AttributeError('I am an uncaught error!')
+
−
+
−def extsetup(ui):
+
−    setattr(webcommands, 'raiseerror', raiseerror)
+
−    webcommands.__all__.append('raiseerror')