convert: delete unused imports in git.py As reported by pyflakes

merge with stable

bundle: avoid crash when no good changegroup version found When using treemanifests, only changegroup3 bundles can be created. However, there is currently no way of requesting a changegroup3 bundle, so we run into an assertion in changegroup.getbundler() when trying to get a changroup2 bundler. Let's avoid the traceback and print a short error message instead.

exchange: make _pushb2ctx() look more like _getbundlechangegrouppart() The functions already have a lot in common, but were structured a little differently.

exchange: get rid of "getcgkwargs" variable This also makes the "version" argument explicit (never relies on getlocalchangegroupraw()'s default), which I think is a good thing.

bundle: move writebundle() from changegroup.py to bundle2.py (API) writebundle() writes a bundle2 bundle or a plain changegroup1. Imagine away the "2" in "bundle2.py" for a moment and this change should makes sense. The bundle wraps the changegroup, so it makes sense that it knows about it. Another sign that this is correct is that the delayed import of bundle2 in changegroup goes away. I'll leave it for another time to remove the "2" in "bundle2.py" (alternatively, extract a new bundle.py from it).

Added signature for changeset ae279d4a19e9

Added tag 3.7.3 for changeset ae279d4a19e9

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

convert: rewrite gitpipe to use common.commandline (SEC) CVE-2016-3069 (4/5)

convert: dead code removal - old git calling functions (SEC) CVE-2016-3069 (3/5)

convert: rewrite calls to Git to use the new shelling mechanism (SEC) CVE-2016-3069 (2/5) One test output changed because we were ignoring git return code in numcommits before.

convert: add new, non-clowny interface for shelling out to git (SEC) CVE-2016-3069 (1/5) To avoid shell injection and for the sake of simplicity let's use the common.commandline for calling git.

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.

parsers: detect short records (SEC) CVE-2016-3630 (2/2) This addresses part of a vulnerability in binary delta application.

parsers: fix list sizing rounding error (SEC) CVE-2016-3630 (1/2) This addresses part of a vulnerability in application of binary deltas.