1778 |
1778 |
1779 $ cd .. |
1779 $ cd .. |
1780 |
1780 |
1781 test for ssh exploit 2017-07-25 |
1781 test for ssh exploit 2017-07-25 |
1782 |
1782 |
|
1783 $ cat >> $HGRCPATH << EOF |
|
1784 > [ui] |
|
1785 > ssh = sh -c "read l; read l; read l" |
|
1786 > EOF |
|
1787 |
1783 $ hg init malicious-proxycommand |
1788 $ hg init malicious-proxycommand |
1784 $ cd malicious-proxycommand |
1789 $ cd malicious-proxycommand |
1785 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub |
1790 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub |
1786 $ hg init s |
1791 $ hg init s |
1787 $ cd s |
1792 $ cd s |
1811 [255] |
1816 [255] |
1812 |
1817 |
1813 also check for a pipe |
1818 also check for a pipe |
1814 |
1819 |
1815 $ cd malicious-proxycommand |
1820 $ cd malicious-proxycommand |
1816 $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub |
1821 $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub |
1817 $ hg ci -m 'change url to pipe' |
1822 $ hg ci -m 'change url to pipe' |
1818 $ cd .. |
1823 $ cd .. |
1819 $ rm -r malicious-proxycommand-clone |
1824 $ rm -r malicious-proxycommand-clone |
1820 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1825 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1821 updating to branch default |
1826 updating to branch default |
1822 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s) |
1827 abort: no suitable response from remote hg! |
1823 [255] |
1828 [255] |
|
1829 $ [ ! -f owned ] || echo 'you got owned' |
1824 |
1830 |
1825 also check that a percent encoded '|' (%7C) doesn't work |
1831 also check that a percent encoded '|' (%7C) doesn't work |
1826 |
1832 |
1827 $ cd malicious-proxycommand |
1833 $ cd malicious-proxycommand |
1828 $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub |
1834 $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub |
1829 $ hg ci -m 'change url to percent encoded pipe' |
1835 $ hg ci -m 'change url to percent encoded pipe' |
1830 $ cd .. |
1836 $ cd .. |
1831 $ rm -r malicious-proxycommand-clone |
1837 $ rm -r malicious-proxycommand-clone |
1832 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1838 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1833 updating to branch default |
1839 updating to branch default |
1834 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepo s) |
1840 abort: no suitable response from remote hg! |
1835 [255] |
1841 [255] |
|
1842 $ [ ! -f owned ] || echo 'you got owned' |
1836 |
1843 |
1837 and bad usernames: |
1844 and bad usernames: |
1838 $ cd malicious-proxycommand |
1845 $ cd malicious-proxycommand |
1839 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub |
1846 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub |
1840 $ hg ci -m 'owned username' |
1847 $ hg ci -m 'owned username' |