Mercurial > hg
view .hgignore @ 33650:0b3fe3910ef5 stable
util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Fri, 28 Jul 2017 16:32:25 -0700 |
parents | 91ae09010950 |
children | bd8875b6473c |
line wrap: on
line source
syntax: glob *.elc *.tmp *.orig *.rej *~ *.mergebackup *.o *.so *.dll *.exe *.pyd *.pyc *.pyo *$py.class *.swp *.prof *.zip \#*\# .\#* tests/.coverage* tests/.testtimes* tests/.hypothesis tests/hypothesis-generated tests/annotated tests/*.err tests/htmlcov build contrib/chg/chg contrib/hgsh/hgsh contrib/vagrant/.vagrant contrib/docker/debian-* contrib/docker/ubuntu-* dist packages doc/common.txt doc/*.[0-9] doc/*.[0-9].txt doc/*.[0-9].gendoc.txt doc/*.[0-9].{x,ht}ml MANIFEST MANIFEST.in patches mercurial/__modulepolicy__.py mercurial/__version__.py mercurial/hgpythonlib.h mercurial.egg-info .DS_Store tags cscope.* .idea/* .asv/* i18n/hg.pot locale/*/LC_MESSAGES/hg.mo hgext/__index__.py # Generated wheels wheelhouse/ syntax: regexp ^\.pc/ ^\.(pydev)?project # hackable windows distribution additions ^hg-python ^hg.py$