Mercurial > hg-stable
view tests/test-demandimport.py.out @ 33654:475af2f89636 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:04:44 -0700 |
parents | 91a2ec8e7fa0 |
children | b39f0fdb0338 |
line wrap: on
line source
os = <unloaded module 'os'> os.system = <built-in function system> os = <module 'os' from '?'> util = <unloaded module 'util'> util.system = <function system at 0x?> util = <module 'mercurial.util' from '?'> util.system = <function system at 0x?> hgweb = <unloaded module 'hgweb'> hgweb_mod = <unloaded module 'hgweb_mod'> hgweb = <module 'mercurial.hgweb' from '?'> fred = <unloaded module 're'> remod = <unloaded module 're'> re = <unloaded module 'sys'> fred = <unloaded module 're'> fred.sub = <function sub at 0x?> fred = <proxied module 're'> remod = <module 're' from '?'> re = <unloaded module 'sys'> re.stderr = <open file '<whatever>', mode 'w' at 0x?> re = <proxied module 'sys'> pvecproxy = <unloaded module 'pvec'> pvecproxy.__doc__ = 'A "pvec" is ...' pvecproxy.__name__ = 'mercurial.pvec' pvecproxy.__dict__['__name__'] = 'mercurial.pvec' pvecproxy = <proxied module 'pvec'> contextlib = <unloaded module 'contextlib'> contextlib.unknownattr = ImportError: cannot import name unknownattr __import__('contextlib', ..., ['unknownattr']) = <module 'contextlib' from '?'> hasattr(contextlibimp, 'unknownattr') = False node = <module 'mercurial.node' from '?'>