Mercurial > hg
view hgext/largefiles/wirestore.py @ 33650:0b3fe3910ef5 stable
util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Fri, 28 Jul 2017 16:32:25 -0700 |
parents | 28dfcf3d0ad3 |
children | 6c55ce51d6c3 |
line wrap: on
line source
# Copyright 2010-2011 Fog Creek Software # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. '''largefile store working over Mercurial's wire protocol''' from __future__ import absolute_import from . import ( lfutil, remotestore, ) class wirestore(remotestore.remotestore): def __init__(self, ui, repo, remote): cap = remote.capable('largefiles') if not cap: raise lfutil.storeprotonotcapable([]) storetypes = cap.split(',') if 'serve' not in storetypes: raise lfutil.storeprotonotcapable(storetypes) self.remote = remote super(wirestore, self).__init__(ui, repo, remote.url()) def _put(self, hash, fd): return self.remote.putlfile(hash, fd) def _get(self, hash): return self.remote.getlfile(hash) def _stat(self, hashes): '''For each hash, return 0 if it is available, other values if not. It is usually 2 if the largefile is missing, but might be 1 the server has a corrupted copy.''' batch = self.remote.iterbatch() for hash in hashes: batch.statlfile(hash) batch.submit() return dict(zip(hashes, batch.results()))