Mercurial > hg-stable
view tests/test-hgweb-raw.t @ 33654:475af2f89636 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:04:44 -0700 |
parents | 636cf3f7620d |
children | 422be99519e5 |
line wrap: on
line source
#require serve Test raw style of hgweb $ hg init test $ cd test $ mkdir sub $ cat >'sub/some text%.txt' <<ENDSOME > This is just some random text > that will go inside the file and take a few lines. > It is very boring to read, but computers don't > care about things like that. > ENDSOME $ hg add 'sub/some text%.txt' $ hg commit -d "1 0" -m "Just some text" $ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid $ cat hg.pid >> $DAEMON_PIDS $ (get-with-headers.py localhost:$HGPORT '?f=bf0ff59095c9;file=sub/some%20text%25.txt;style=raw' content-type content-length content-disposition) >getoutput.txt $ killdaemons.py hg.pid $ cat getoutput.txt 200 Script output follows content-type: application/binary content-length: 157 content-disposition: inline; filename="some text%.txt" This is just some random text that will go inside the file and take a few lines. It is very boring to read, but computers don't care about things like that. $ cat access.log error.log $LOCALIP - - [*] "GET /?f=bf0ff59095c9;file=sub/some%20text%25.txt;style=raw HTTP/1.1" 200 - (glob) $ rm access.log error.log $ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid \ > --config web.guessmime=True $ cat hg.pid >> $DAEMON_PIDS $ (get-with-headers.py localhost:$HGPORT '?f=bf0ff59095c9;file=sub/some%20text%25.txt;style=raw' content-type content-length content-disposition) >getoutput.txt $ killdaemons.py hg.pid $ cat getoutput.txt 200 Script output follows content-type: text/plain; charset="ascii" content-length: 157 content-disposition: inline; filename="some text%.txt" This is just some random text that will go inside the file and take a few lines. It is very boring to read, but computers don't care about things like that. $ cat access.log error.log $LOCALIP - - [*] "GET /?f=bf0ff59095c9;file=sub/some%20text%25.txt;style=raw HTTP/1.1" 200 - (glob) $ cd ..