how to enable extension for hgweb?

[Christian Ebert]

* Alexis S. L. Carvalho on Wednesday, July 04, 2007 at 14:06:35 -0300:
> Thus spake Christian Ebert:
>> With my local server I can do that eg. by writing the according
>> configuration in /etc/mercurial/hgrc or, better, by
>> $ chown www:www repo/.hg/hgrc
>> 
>> Unfortunately, for my public repos, I have not access to /etc/
>> and not the permissions to change the owner of repo/.hg/hgrc
> 
> Mercurial refuses to load extensions from hgrc files from users/groups
> it doesn't trust.  This is a basic security check to avoid running
> arbitrary code.  It sounds like, in your setup, the cgi script is run by
> user "www", which won't trust your user by default.
> 
>> Does anybody happen to have an idea how to circumvent this from
>> within mercurial, in this case installed in
>> $HOME/lib/python/{mercurial,hgext} ?
> 
> Can you change the cgi script?

Yes.

> In this case, add something like this to it:
> 
> import os
> os.environ['HGRCPATH'] = '/path/to/a/hgrc'

Ah! I had been almost there, experimented with $HGRCPATH, but
not from within the cgi script.

> And then put this in /path/to/a/hgrc:
> 
> [trusted]
> users = my-username

Thanks! It works now.

> The HGRCPATH environment variable points to the global hgrc files, which
> are always trusted (note that hg won't read other files like
> /etc/mercurial/hgrc or ~/.hgrc when this variable is set).  You use this
> file to tell hg what users to trust (I guess you could just load the
> extension directly, too...).
> 
> If you can't change the cgi script, you can try to change e.g. the
> util.os_rcpath function to read some specific hgrc file: just add a
> path.append('/path/to/a/hgrc') somewhere there.

Thanks again for the thorough explanation.

c
-- 
keyword extension for Mercurial (http://selenic.com/mercurial):
<http://www.blacktrash.org/hg/hgkeyword/>
Mercurial crew development repository + keyword extension:
<http://www.blacktrash.org/hg/hg-crew-keyword/>