Mercurial > hg-stable
view hg @ 33638:55681baf4cf9 stable
subrepo: add tests for hg rogue ssh urls (SEC)
'ssh://' has an exploit that will pass the url blindly to the ssh
command, allowing a malicious person to have a subrepo with
'-oProxyCommand' which could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' is able to execute arbitrary
commands.
When this happens, let's throw a big abort into the user's face so that
they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Mon, 31 Jul 2017 16:04:44 -0700 |
parents | 1f5052d35b30 |
children | b4810bf95c03 |
line wrap: on
line source
#!/usr/bin/env python # # mercurial - scalable distributed SCM # # Copyright 2005-2007 Matt Mackall <mpm@selenic.com> # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. import os import sys if os.environ.get('HGUNICODEPEDANTRY', False): try: reload(sys) sys.setdefaultencoding("undefined") except NameError: pass libdir = '@LIBDIR@' if libdir != '@' 'LIBDIR' '@': if not os.path.isabs(libdir): libdir = os.path.join(os.path.dirname(os.path.realpath(__file__)), libdir) libdir = os.path.abspath(libdir) sys.path.insert(0, libdir) # enable importing on demand to reduce startup time try: if sys.version_info[0] < 3: from mercurial import demandimport; demandimport.enable() except ImportError: sys.stderr.write("abort: couldn't find mercurial libraries in [%s]\n" % ' '.join(sys.path)) sys.stderr.write("(check your install and PYTHONPATH)\n") sys.exit(-1) import mercurial.util import mercurial.dispatch for fp in (sys.stdin, sys.stdout, sys.stderr): mercurial.util.setbinary(fp) mercurial.dispatch.run()