Mercurial > hg
diff hgext/convert/git.py @ 29051:a56296f55a5e stable 3.8.1
convert: pass absolute paths to git (SEC)
Fixes CVE-2016-3105 (1/1).
Previously, it was possible for the repository path passed to git-ls-remote
to be misinterpreted as a URL.
Always passing an absolute path to git is a simple way to avoid this.
author | Blake Burkhart <bburky@bburky.com> |
---|---|
date | Wed, 06 Apr 2016 22:57:46 -0500 |
parents | e1d26630443d |
children | a0939666b836 |
line wrap: on
line diff
--- a/hgext/convert/git.py Sun May 01 13:52:26 2016 -0500 +++ b/hgext/convert/git.py Wed Apr 06 22:57:46 2016 -0500 @@ -57,6 +57,10 @@ super(convert_git, self).__init__(ui, path, revs=revs) common.commandline.__init__(self, ui, 'git') + # Pass an absolute path to git to prevent from ever being interpreted + # as a URL + path = os.path.abspath(path) + if os.path.isdir(path + "/.git"): path += "/.git" if not os.path.exists(path + "/objects"):