Mercurial > hg-stable
view tests/test-debian-packages.t @ 33654:475af2f89636 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:04:44 -0700 |
parents | ddd65b4f3ae6 |
children | 3d936da4f97b |
line wrap: on
line source
#require test-repo slow debhelper $ . "$TESTDIR/helpers-testrepo.sh" $ testrepohgenv Ensure debuild doesn't run the testsuite, as that could get silly. $ DEB_BUILD_OPTIONS=nocheck $ export DEB_BUILD_OPTIONS $ OUTPUTDIR=`pwd` $ export OUTPUTDIR $ cd "$TESTDIR"/.. $ make deb > $OUTPUTDIR/build.log 2>&1 $ cd $OUTPUTDIR $ ls *.deb mercurial-common_*.deb (glob) mercurial_*.deb (glob) main deb should have .so but no .py $ dpkg --contents mercurial_*.deb | egrep '(localrepo|parsers)' * ./usr/lib/python2.7/dist-packages/mercurial/parsers*.so (glob) mercurial-common should have py but no .so or pyc $ dpkg --contents mercurial-common_*.deb | egrep '(localrepo|parsers)' * ./usr/lib/python2.7/dist-packages/mercurial/localrepo.py (glob)