Mercurial > hg
comparison tests/test-subrepo.t @ 33660:3fee7f7d2da0 stable 4.3.1
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Mon, 07 Aug 2017 22:22:28 +0900 |
parents | 475af2f89636 |
children | eb586ed5d8ce |
comparison
equal
deleted
inserted
replaced
33659:8cb9e921ef8c | 33660:3fee7f7d2da0 |
---|---|
1790 | 1790 |
1791 $ cd .. | 1791 $ cd .. |
1792 | 1792 |
1793 test for ssh exploit 2017-07-25 | 1793 test for ssh exploit 2017-07-25 |
1794 | 1794 |
1795 $ cat >> $HGRCPATH << EOF | |
1796 > [ui] | |
1797 > ssh = sh -c "read l; read l; read l" | |
1798 > EOF | |
1799 | |
1795 $ hg init malicious-proxycommand | 1800 $ hg init malicious-proxycommand |
1796 $ cd malicious-proxycommand | 1801 $ cd malicious-proxycommand |
1797 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub | 1802 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub |
1798 $ hg init s | 1803 $ hg init s |
1799 $ cd s | 1804 $ cd s |
1823 [255] | 1828 [255] |
1824 | 1829 |
1825 also check for a pipe | 1830 also check for a pipe |
1826 | 1831 |
1827 $ cd malicious-proxycommand | 1832 $ cd malicious-proxycommand |
1828 $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub | 1833 $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub |
1829 $ hg ci -m 'change url to pipe' | 1834 $ hg ci -m 'change url to pipe' |
1830 $ cd .. | 1835 $ cd .. |
1831 $ rm -r malicious-proxycommand-clone | 1836 $ rm -r malicious-proxycommand-clone |
1832 $ hg clone malicious-proxycommand malicious-proxycommand-clone | 1837 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1833 updating to branch default | 1838 updating to branch default |
1834 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") | 1839 abort: no suitable response from remote hg! |
1835 [255] | 1840 [255] |
1841 $ [ ! -f owned ] || echo 'you got owned' | |
1836 | 1842 |
1837 also check that a percent encoded '|' (%7C) doesn't work | 1843 also check that a percent encoded '|' (%7C) doesn't work |
1838 | 1844 |
1839 $ cd malicious-proxycommand | 1845 $ cd malicious-proxycommand |
1840 $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub | 1846 $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub |
1841 $ hg ci -m 'change url to percent encoded pipe' | 1847 $ hg ci -m 'change url to percent encoded pipe' |
1842 $ cd .. | 1848 $ cd .. |
1843 $ rm -r malicious-proxycommand-clone | 1849 $ rm -r malicious-proxycommand-clone |
1844 $ hg clone malicious-proxycommand malicious-proxycommand-clone | 1850 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
1845 updating to branch default | 1851 updating to branch default |
1846 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") | 1852 abort: no suitable response from remote hg! |
1847 [255] | 1853 [255] |
1854 $ [ ! -f owned ] || echo 'you got owned' | |
1848 | 1855 |
1849 and bad usernames: | 1856 and bad usernames: |
1850 $ cd malicious-proxycommand | 1857 $ cd malicious-proxycommand |
1851 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub | 1858 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub |
1852 $ hg ci -m 'owned username' | 1859 $ hg ci -m 'owned username' |