context: use a the nofsauditor when matching file in history (issue4749) Before this change, asking for file from history (eg: 'hg cat -r 42 foo/bar') could fail because of the current content of the working copy (eg: current "foo" being a symlink). As the working copy state have no influence on the content of the history, we can safely skip these checks. The working copy context class have a different 'match' implementation. That implementation still use the repo.auditor will still catch symlink traversal. I've audited all stuff calling "match" and they all go through a ctx in a sensible way. The most unclear case was diff which still seemed okay. You raised my paranoid level today and I double checked through tests. They behave properly. The odds of someone using the wrong (matching with a changectx for operation that will eventually touch the file system) is non-zero because you are never sure of what people will do. But I dunno if we can fight against that. So I would not commit to "never" for "at this level" and "in the future" if someone write especially bad code. However, as a last defense, the vfs itself is running path auditor in all cases outside of .hg/. So I think anything passing the 'matcher' for buggy reason would growl at the vfs layer.

+
−  $ hg init a
+
−  $ cd a
+
−  $ hg init b
+
−  $ echo x > b/x
+
−
+
−Should print nothing:
+
−
+
−  $ hg add b
+
−  $ hg st
+
−
+
−  $ echo y > b/y
+
−  $ hg st
+
−
+
−Should fail:
+
−
+
−  $ hg st b/x
+
−  abort: path 'b/x' is inside nested repo 'b' (glob)
+
−  [255]
+
−  $ hg add b/x
+
−  abort: path 'b/x' is inside nested repo 'b' (glob)
+
−  [255]
+
−
+
−Should fail:
+
−
+
−  $ hg add b b/x
+
−  abort: path 'b/x' is inside nested repo 'b' (glob)
+
−  [255]
+
−  $ hg st
+
−
+
−Should arguably print nothing:
+
−
+
−  $ hg st b
+
−
+
−  $ echo a > a
+
−  $ hg ci -Ama a
+
−
+
−Should fail:
+
−
+
−  $ hg mv a b
+
−  abort: path 'b/a' is inside nested repo 'b' (glob)
+
−  [255]
+
−  $ hg st
+
−
+
−  $ cd ..