Mercurial > hg
comparison mercurial/sshpeer.py @ 33636:f93975a5ebe8 stable
sshpeer: check for safe ssh url (SEC)
Checking in the sshpeer for a rogue ssh:// urls seems like the right
place to do it (instead of whack-a-mole with pull, clone, push, etc).
author | Sean Farley <sean@farley.io> |
---|---|
date | Tue, 01 Aug 2017 14:40:19 -0700 |
parents | ad6c5497cd15 |
children | 00a75672a9cb |
comparison
equal
deleted
inserted
replaced
33635:e10745311406 | 33636:f93975a5ebe8 |
---|---|
135 self.pipeo = self.pipei = self.pipee = None | 135 self.pipeo = self.pipei = self.pipee = None |
136 | 136 |
137 u = util.url(path, parsequery=False, parsefragment=False) | 137 u = util.url(path, parsequery=False, parsefragment=False) |
138 if u.scheme != 'ssh' or not u.host or u.path is None: | 138 if u.scheme != 'ssh' or not u.host or u.path is None: |
139 self._abort(error.RepoError(_("couldn't parse location %s") % path)) | 139 self._abort(error.RepoError(_("couldn't parse location %s") % path)) |
140 | |
141 util.checksafessh(path) | |
140 | 142 |
141 self.user = u.user | 143 self.user = u.user |
142 if u.passwd is not None: | 144 if u.passwd is not None: |
143 self._abort(error.RepoError(_("password in URL not supported"))) | 145 self._abort(error.RepoError(_("password in URL not supported"))) |
144 self.host = u.host | 146 self.host = u.host |