Mercurial > hg-stable
view tests/test-diff-hashes.t @ 33654:475af2f89636 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:04:44 -0700 |
parents | f2719b387380 |
children | 251332dbf33d |
line wrap: on
line source
$ hg init a $ cd a $ hg diff inexistent1 inexistent2 inexistent1: * (glob) inexistent2: * (glob) $ echo bar > foo $ hg add foo $ hg ci -m 'add foo' $ echo foobar > foo $ hg ci -m 'change foo' $ hg --quiet diff -r 0 -r 1 --- a/foo Thu Jan 01 00:00:00 1970 +0000 +++ b/foo Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +1,1 @@ -bar +foobar $ hg diff -r 0 -r 1 diff -r a99fb63adac3 -r 9b8568d3af2f foo --- a/foo Thu Jan 01 00:00:00 1970 +0000 +++ b/foo Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +1,1 @@ -bar +foobar $ hg --verbose diff -r 0 -r 1 diff -r a99fb63adac3 -r 9b8568d3af2f foo --- a/foo Thu Jan 01 00:00:00 1970 +0000 +++ b/foo Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +1,1 @@ -bar +foobar $ hg --debug diff -r 0 -r 1 diff -r a99fb63adac3f31816a22f665bc3b7a7655b30f4 -r 9b8568d3af2f1749445eef03aede868a6f39f210 foo --- a/foo Thu Jan 01 00:00:00 1970 +0000 +++ b/foo Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +1,1 @@ -bar +foobar $ cd ..