Mercurial > hg-stable
view tests/test-hg-parseurl.py @ 33654:475af2f89636 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:04:44 -0700 |
parents | d26c4af27978 |
children | 11d128a14ec0 |
line wrap: on
line source
from __future__ import absolute_import, print_function from mercurial import ( hg, ) def testparse(url, branch=[]): print('%s, branches: %r' % hg.parseurl(url, branch)) testparse('http://example.com/no/anchor') testparse('http://example.com/an/anchor#foo') testparse('http://example.com/no/anchor/branches', branch=['foo']) testparse('http://example.com/an/anchor/branches#bar', branch=['foo']) testparse('http://example.com/an/anchor/branches-None#foo', branch=None) testparse('http://example.com/') testparse('http://example.com') testparse('http://example.com#foo')