Mercurial > hg
view tests/test-gendoc.t @ 33650:0b3fe3910ef5 stable
util: add utility method to check for bad ssh urls (SEC)
Our use of SSH has an exploit that will parse the first part of an url
blindly as a hostname. Prior to this set of security patches, a url
with '-oProxyCommand' could run arbitrary code on a user's machine. In
addition, at least on Windows, a pipe '|' can be abused to execute
arbitrary commands in a similar fashion.
We defend against this by checking ssh:// URLs and looking for a
hostname that starts with a - or contains a |.
When this happens, let's throw a big abort into the user's face so
that they can inspect what's going on.
author | Sean Farley <sean@farley.io> |
---|---|
date | Fri, 28 Jul 2017 16:32:25 -0700 |
parents | 75be14993fda |
children | 5abc47d4ca6b |
line wrap: on
line source
#require docutils #require gettext Test document extraction $ HGENCODING=UTF-8 $ export HGENCODING $ { echo C; ls "$TESTDIR/../i18n"/*.po | sort; } | while read PO; do > LOCALE=`basename "$PO" .po` > echo "% extracting documentation from $LOCALE" > LANGUAGE=$LOCALE $PYTHON "$TESTDIR/../doc/gendoc.py" >> gendoc-$LOCALE.txt 2> /dev/null || exit > > if [ $LOCALE != C ]; then > if [ ! -f $TESTDIR/test-gendoc-$LOCALE.t ]; then > echo missing test-gendoc-$LOCALE.t > fi > cmp -s gendoc-C.txt gendoc-$LOCALE.txt && echo "** NOTHING TRANSLATED ($LOCALE) **" > fi > done; true % extracting documentation from C % extracting documentation from da % extracting documentation from de % extracting documentation from el % extracting documentation from fr % extracting documentation from it % extracting documentation from ja % extracting documentation from pt_BR % extracting documentation from ro % extracting documentation from ru % extracting documentation from sv % extracting documentation from zh_CN % extracting documentation from zh_TW