Martin von Zweigbergk <martinvonz@google.com> [Tue, 29 Mar 2016 10:49:33 -0700] rev 28671
convert: delete unused imports in git.py
As reported by pyflakes
Matt Mackall <mpm@selenic.com> [Tue, 29 Mar 2016 12:29:00 -0500] rev 28670
merge with stable
Martin von Zweigbergk <martinvonz@google.com> [Fri, 25 Mar 2016 23:05:32 -0700] rev 28669
bundle: avoid crash when no good changegroup version found
When using treemanifests, only changegroup3 bundles can be
created. However, there is currently no way of requesting a
changegroup3 bundle, so we run into an assertion in
changegroup.getbundler() when trying to get a changroup2
bundler. Let's avoid the traceback and print a short error message
instead.
Martin von Zweigbergk <martinvonz@google.com> [Fri, 25 Mar 2016 16:13:28 -0700] rev 28668
exchange: make _pushb2ctx() look more like _getbundlechangegrouppart()
The functions already have a lot in common, but were structured a
little differently.
Martin von Zweigbergk <martinvonz@google.com> [Fri, 25 Mar 2016 16:01:40 -0700] rev 28667
exchange: get rid of "getcgkwargs" variable
This also makes the "version" argument explicit (never relies on
getlocalchangegroupraw()'s default), which I think is a good thing.
Martin von Zweigbergk <martinvonz@google.com> [Mon, 28 Mar 2016 14:41:29 -0700] rev 28666
bundle: move writebundle() from changegroup.py to bundle2.py (API)
writebundle() writes a bundle2 bundle or a plain changegroup1. Imagine
away the "2" in "bundle2.py" for a moment and this change should makes
sense. The bundle wraps the changegroup, so it makes sense that it
knows about it. Another sign that this is correct is that the delayed
import of bundle2 in changegroup goes away.
I'll leave it for another time to remove the "2" in "bundle2.py"
(alternatively, extract a new bundle.py from it).
Matt Mackall <mpm@selenic.com> [Tue, 29 Mar 2016 11:54:46 -0500] rev 28665
Added signature for changeset ae279d4a19e9
Matt Mackall <mpm@selenic.com> [Tue, 29 Mar 2016 11:54:45 -0500] rev 28664
Added tag 3.7.3 for changeset ae279d4a19e9
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:27:27 -0700] rev 28663
convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28662
convert: rewrite gitpipe to use common.commandline (SEC)
CVE-2016-3069 (4/5)
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28661
convert: dead code removal - old git calling functions (SEC)
CVE-2016-3069 (3/5)
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28660
convert: rewrite calls to Git to use the new shelling mechanism (SEC)
CVE-2016-3069 (2/5)
One test output changed because we were ignoring git return code in numcommits
before.
Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28659
convert: add new, non-clowny interface for shelling out to git (SEC)
CVE-2016-3069 (1/5)
To avoid shell injection and for the sake of simplicity let's use the
common.commandline for calling git.
Mateusz Kwapich <mitrandir@fb.com> [Sun, 20 Mar 2016 21:52:21 -0700] rev 28658
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
CVE-2016-3068 (1/1)
Git's git-remote-ext remote helper provides an ext:: URL scheme that
allows running arbitrary shell commands. This feature allows
implementing simple git smart transports with a single shell shell
command. However, git submodules could clone arbitrary URLs specified
in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
in git v2.6.1.
However, if a user directly clones a malicious ext URL, the git client
will still run arbitrary shell commands.
Mercurial is similarly effected. Mercurial allows specifying git
repositories as subrepositories. Git ext:: URLs can be specified as
Mercurial subrepositories allowing arbitrary shell commands to be run
on `hg clone ...`.
The Mercurial community would like to thank Blake Burkhart for
reporting this issue. The description of the issue is copied from
Blake's report.
This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
variable to git commands with the same list of allowed protocols that
git submodule is using.
When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
to git without modifications.
Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:30:26 -0700] rev 28657
parsers: detect short records (SEC)
CVE-2016-3630 (2/2)
This addresses part of a vulnerability in binary delta application.
Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:29:29 -0700] rev 28656
parsers: fix list sizing rounding error (SEC)
CVE-2016-3630 (1/2)
This addresses part of a vulnerability in application of binary
deltas.