Mercurial > hg-stable

diff mercurial/windows.py @ 33657:8cb9e921ef8c stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssh: quote parameters using shellquote (SEC) This patch uses shellquote to quote ssh parameters more strictly to avoid shell injection.
author Jun Wu <quark@fb.com>
date Fri, 04 Aug 2017 23:54:12 -0700
parents 739cc0f9cbb4
children d5b2beca16c0
line wrap: on
line diff
--- a/mercurial/windows.py	Mon Jul 31 14:55:11 2017 -0700
+++ b/mercurial/windows.py	Fri Aug 04 23:54:12 2017 -0700
@@ -208,7 +208,10 @@
         raise error.Abort(
             _('illegal ssh hostname or username starting with - or /: %s') %
             args)
-    return port and ("%s %s %s" % (args, pflag, port)) or args
+    args = shellquote(args)
+    if port:
+        args = '%s %s %s' % (pflag, shellquote(port), args)
+    return args
 
 def setflags(f, l, x):
     pass