Mercurial > hg
comparison tests/test-subrepo.t @ 33660:3fee7f7d2da0 stable 4.3.1
ssh: unban the use of pipe character in user@host:port string
This vulnerability was fixed by the previous patch and there were more ways
to exploit than using '|shellcmd'. So it doesn't make sense to reject only
pipe character.
Test cases are updated to actually try to exploit the bug. As the SSH bridge
of git/svn subrepos are not managed by our code, the tests for non-hg subrepos
are just removed.
This may be folded into the original patches.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Mon, 07 Aug 2017 22:22:28 +0900 |
| parents | 475af2f89636 |
| children | eb586ed5d8ce |
comparison
equal
deleted
inserted
replaced
| 33659:8cb9e921ef8c | 33660:3fee7f7d2da0 |
|---|---|
| 1790 | 1790 |
| 1791 $ cd .. | 1791 $ cd .. |
| 1792 | 1792 |
| 1793 test for ssh exploit 2017-07-25 | 1793 test for ssh exploit 2017-07-25 |
| 1794 | 1794 |
| 1795 $ cat >> $HGRCPATH << EOF | |
| 1796 > [ui] | |
| 1797 > ssh = sh -c "read l; read l; read l" | |
| 1798 > EOF | |
| 1799 | |
| 1795 $ hg init malicious-proxycommand | 1800 $ hg init malicious-proxycommand |
| 1796 $ cd malicious-proxycommand | 1801 $ cd malicious-proxycommand |
| 1797 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub | 1802 $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub |
| 1798 $ hg init s | 1803 $ hg init s |
| 1799 $ cd s | 1804 $ cd s |
| 1823 [255] | 1828 [255] |
| 1824 | 1829 |
| 1825 also check for a pipe | 1830 also check for a pipe |
| 1826 | 1831 |
| 1827 $ cd malicious-proxycommand | 1832 $ cd malicious-proxycommand |
| 1828 $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub | 1833 $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub |
| 1829 $ hg ci -m 'change url to pipe' | 1834 $ hg ci -m 'change url to pipe' |
| 1830 $ cd .. | 1835 $ cd .. |
| 1831 $ rm -r malicious-proxycommand-clone | 1836 $ rm -r malicious-proxycommand-clone |
| 1832 $ hg clone malicious-proxycommand malicious-proxycommand-clone | 1837 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
| 1833 updating to branch default | 1838 updating to branch default |
| 1834 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") | 1839 abort: no suitable response from remote hg! |
| 1835 [255] | 1840 [255] |
| 1841 $ [ ! -f owned ] || echo 'you got owned' | |
| 1836 | 1842 |
| 1837 also check that a percent encoded '|' (%7C) doesn't work | 1843 also check that a percent encoded '|' (%7C) doesn't work |
| 1838 | 1844 |
| 1839 $ cd malicious-proxycommand | 1845 $ cd malicious-proxycommand |
| 1840 $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub | 1846 $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub |
| 1841 $ hg ci -m 'change url to percent encoded pipe' | 1847 $ hg ci -m 'change url to percent encoded pipe' |
| 1842 $ cd .. | 1848 $ cd .. |
| 1843 $ rm -r malicious-proxycommand-clone | 1849 $ rm -r malicious-proxycommand-clone |
| 1844 $ hg clone malicious-proxycommand malicious-proxycommand-clone | 1850 $ hg clone malicious-proxycommand malicious-proxycommand-clone |
| 1845 updating to branch default | 1851 updating to branch default |
| 1846 abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s") | 1852 abort: no suitable response from remote hg! |
| 1847 [255] | 1853 [255] |
| 1854 $ [ ! -f owned ] || echo 'you got owned' | |
| 1848 | 1855 |
| 1849 and bad usernames: | 1856 and bad usernames: |
| 1850 $ cd malicious-proxycommand | 1857 $ cd malicious-proxycommand |
| 1851 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub | 1858 $ echo 's = [hg]ssh://-oProxyCommand=touch owned@example.com/path' > .hgsub |
| 1852 $ hg ci -m 'owned username' | 1859 $ hg ci -m 'owned username' |