sshpeer: check for safe ssh url (SEC)
Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).
--- a/mercurial/sshpeer.py Fri Aug 04 14:00:03 2017 -0400
+++ b/mercurial/sshpeer.py Tue Aug 01 14:40:19 2017 -0700
@@ -139,6 +139,8 @@
if u.scheme != 'ssh' or not u.host or u.path is None:
self._abort(error.RepoError(_("couldn't parse location %s") % path))
+ util.checksafessh(path)
+
self.user = u.user
if u.passwd is not None:
self._abort(error.RepoError(_("password in URL not supported")))