Mercurial > hg

diff mercurial/windows.py @ 33651:739cc0f9cbb4 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssh: ban any username@host or host that starts with - (SEC) This paranoia probably isn't required, but it can't hurt either.
author Augie Fackler <augie@google.com>
date Fri, 04 Aug 2017 14:00:03 -0400
parents 605f124d1146
children 8cb9e921ef8c
line wrap: on
line diff
--- a/mercurial/windows.py	Fri Jul 28 16:32:25 2017 -0700
+++ b/mercurial/windows.py	Fri Aug 04 14:00:03 2017 -0400
@@ -17,6 +17,7 @@
 from .i18n import _
 from . import (
     encoding,
+    error,
     policy,
     pycompat,
     win32,
@@ -203,6 +204,10 @@
     '''Build argument list for ssh or Plink'''
     pflag = 'plink' in sshcmd.lower() and '-P' or '-p'
     args = user and ("%s@%s" % (user, host)) or host
+    if args.startswith('-') or args.startswith('/'):
+        raise error.Abort(
+            _('illegal ssh hostname or username starting with - or /: %s') %
+            args)
     return port and ("%s %s %s" % (args, pflag, port)) or args
 
 def setflags(f, l, x):