Mercurial > hg-stable
view tests/test-config-env.py @ 33654:475af2f89636 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
| author | Sean Farley <sean@farley.io> |
|---|---|
| date | Mon, 31 Jul 2017 16:04:44 -0700 |
| parents | 08fbc97d1364 |
| children | a22915edc279 |
line wrap: on
line source
# Test the config layer generated by environment variables from __future__ import absolute_import, print_function import os from mercurial import ( encoding, rcutil, ui as uimod, util, ) testtmp = encoding.environ['TESTTMP'] # prepare hgrc files def join(name): return os.path.join(testtmp, name) with open(join('sysrc'), 'w') as f: f.write('[ui]\neditor=e0\n[pager]\npager=p0\n') with open(join('userrc'), 'w') as f: f.write('[ui]\neditor=e1') # replace rcpath functions so they point to the files above def systemrcpath(): return [join('sysrc')] def userrcpath(): return [join('userrc')] rcutil.systemrcpath = systemrcpath rcutil.userrcpath = userrcpath os.path.isdir = lambda x: False # hack: do not load default.d/*.rc # utility to print configs def printconfigs(env): encoding.environ = env rcutil._rccomponents = None # reset cache ui = uimod.ui.load() for section, name, value in ui.walkconfig(): source = ui.configsource(section, name) print('%s.%s=%s # %s' % (section, name, value, util.pconvert(source))) print('') # environment variable overrides printconfigs({}) printconfigs({'EDITOR': 'e2', 'PAGER': 'p2'})