diff hgext/convert/git.py @ 29051:a56296f55a5e stable 3.8.1

convert: pass absolute paths to git (SEC) Fixes CVE-2016-3105 (1/1). Previously, it was possible for the repository path passed to git-ls-remote to be misinterpreted as a URL. Always passing an absolute path to git is a simple way to avoid this.
author Blake Burkhart <bburky@bburky.com>
date Wed, 06 Apr 2016 22:57:46 -0500
parents e1d26630443d
children a0939666b836
line wrap: on
line diff
--- a/hgext/convert/git.py	Sun May 01 13:52:26 2016 -0500
+++ b/hgext/convert/git.py	Wed Apr 06 22:57:46 2016 -0500
@@ -57,6 +57,10 @@
         super(convert_git, self).__init__(ui, path, revs=revs)
         common.commandline.__init__(self, ui, 'git')
 
+        # Pass an absolute path to git to prevent from ever being interpreted
+        # as a URL
+        path = os.path.abspath(path)
+
         if os.path.isdir(path + "/.git"):
             path += "/.git"
         if not os.path.exists(path + "/objects"):