Mercurial Mercurial > hg / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-extensions-wrapfunction.py.out
author Sean Farley <sean@farley.io>
Fri, 28 Jul 2017 16:32:25 -0700
branchstable
changeset 33650 0b3fe3910ef5
parent 29765 19578bb84731
child 34014 47e52f079a57
permissions -rw-r--r--
util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on.

wrap 0: [0, 'orig']
wrap 1: [1, 0, 'orig']
wrap 2: [2, 1, 0, 'orig']
wrap 3: [3, 2, 1, 0, 'orig']
wrap 4: [4, 3, 2, 1, 0, 'orig']
wrap 0: [0, 4, 3, 2, 1, 0, 'orig']
unwrap 3: 3: [0, 4, 2, 1, 0, 'orig']
unwrap -: 0: [4, 2, 1, 0, 'orig']
unwrap 0: 0: [4, 2, 1, 'orig']
unwrap 4: 4: [2, 1, 'orig']
unwrap 0: -: ValueError
unwrap 2: 2: [1, 'orig']
unwrap 1: 1: ['orig']
unwrap -: -: IndexError
Mercurial