util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
#!/usr/bin/env bash
# A simple script for opening merge conflicts in the editor.
# Use the following Mercurial settings to enable it.
#
# [ui]
# merge = editmerge
#
# [merge-tools]
# editmerge.args=$output
# editmerge.check=changed
# editmerge.premerge=keep
FILE="$1"
getlines() {
grep -n "^<<<<<<" "$FILE" | cut -f1 -d:
}
# editor preference loosely based on https://mercurial-scm.org/wiki/editor
# hg showconfig is at the bottom though, since it's slow to run (0.15 seconds)
ED="$HGEDITOR"
if [ "$ED" = "" ] ; then
ED="$VISUAL"
fi
if [ "$ED" = "" ] ; then
ED="$EDITOR"
fi
if [ "$ED" = "" ] ; then
ED="$(hg showconfig ui.editor)"
fi
if [ "$ED" = "" ] ; then
echo "merge failed - unable to find editor"
exit 1
fi
if [ "$ED" = "emacs" ] || [ "$ED" = "nano" ] || [ "$ED" = "vim" ] ; then
FIRSTLINE="$(getlines | head -n 1)"
PREVIOUSLINE=""
# open the editor to the first conflict until there are no more
# or the user stops editing the file
while [ ! "$FIRSTLINE" = "" ] && [ ! "$FIRSTLINE" = "$PREVIOUSLINE" ] ; do
$ED "+$FIRSTLINE" "$FILE"
PREVIOUSLINE="$FIRSTLINE"
FIRSTLINE="$(getlines | head -n 1)"
done
else
$ED "$FILE"
fi
# get the line numbers of the remaining conflicts
CONFLICTS="$(getlines | sed ':a;N;$!ba;s/\n/, /g')"
if [ ! "$CONFLICTS" = "" ] ; then
echo "merge failed - resolve the conflicts (line $CONFLICTS) then use 'hg resolve --mark'"
exit 1
fi
exit 0