Mercurial > hg

diff tests/test-subrepo.t @ 33660:3fee7f7d2da0 stable 4.3.1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssh: unban the use of pipe character in user@host:port string This vulnerability was fixed by the previous patch and there were more ways to exploit than using '|shellcmd'. So it doesn't make sense to reject only pipe character. Test cases are updated to actually try to exploit the bug. As the SSH bridge of git/svn subrepos are not managed by our code, the tests for non-hg subrepos are just removed. This may be folded into the original patches.
author Yuya Nishihara <yuya@tcha.org>
date Mon, 07 Aug 2017 22:22:28 +0900
parents 475af2f89636
children eb586ed5d8ce
line wrap: on
line diff
--- a/tests/test-subrepo.t	Fri Aug 04 23:54:12 2017 -0700
+++ b/tests/test-subrepo.t	Mon Aug 07 22:22:28 2017 +0900
@@ -1792,6 +1792,11 @@
 
 test for ssh exploit 2017-07-25
 
+  $ cat >> $HGRCPATH << EOF
+  > [ui]
+  > ssh = sh -c "read l; read l; read l"
+  > EOF
+
   $ hg init malicious-proxycommand
   $ cd malicious-proxycommand
   $ echo 's = [hg]ssh://-oProxyCommand=touch${IFS}owned/path' > .hgsub
@@ -1825,26 +1830,28 @@
 also check for a pipe
 
   $ cd malicious-proxycommand
-  $ echo 's = [hg]ssh://fakehost|shell/path' > .hgsub
+  $ echo 's = [hg]ssh://fakehost|touch${IFS}owned/path' > .hgsub
   $ hg ci -m 'change url to pipe'
   $ cd ..
   $ rm -r malicious-proxycommand-clone
   $ hg clone malicious-proxycommand malicious-proxycommand-clone
   updating to branch default
-  abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
+  abort: no suitable response from remote hg!
   [255]
+  $ [ ! -f owned ] || echo 'you got owned'
 
 also check that a percent encoded '|' (%7C) doesn't work
 
   $ cd malicious-proxycommand
-  $ echo 's = [hg]ssh://fakehost%7Cshell/path' > .hgsub
+  $ echo 's = [hg]ssh://fakehost%7Ctouch%20owned/path' > .hgsub
   $ hg ci -m 'change url to percent encoded pipe'
   $ cd ..
   $ rm -r malicious-proxycommand-clone
   $ hg clone malicious-proxycommand malicious-proxycommand-clone
   updating to branch default
-  abort: potentially unsafe url: 'ssh://fakehost|shell/path' (in subrepository "s")
+  abort: no suitable response from remote hg!
   [255]
+  $ [ ! -f owned ] || echo 'you got owned'
 
 and bad usernames:
   $ cd malicious-proxycommand