util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
{
"version": 1,
"project": "mercurial",
"project_url": "https://mercurial-scm.org/",
"repo": "..",
"branches": ["default", "stable"],
"environment_type": "virtualenv",
"show_commit_url": "https://www.mercurial-scm.org/repo/hg/rev/",
"benchmark_dir": "benchmarks",
"env_dir": "../.asv/env",
"results_dir": "../.asv/results",
"html_dir": "../.asv/html"
}